Edit tour

Windows Analysis Report
zixing.exe

Overview

General Information

Sample name:	zixing.exe
Analysis ID:	1467146
MD5:	4d35a83ceaada68b77334f26d7cb3f77
SHA1:	70b6cf7e98e3a8696a91c59ce0ed65bce41c2749
SHA256:	f7ef51b598dc9640454122ba1bcdb7fb62cee20ac510e5359e0be0178a65a574
Tags:	exe
Infos:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

zixing.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\zixing.exe" MD5: 4D35A83CEAADA68B77334F26D7CB3F77)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: zixing.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: zixing.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: zixing.exe

Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DEA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00DEA534
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DFB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00DFB820
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E0A928 FindFirstFileExA,	0_2_00E0A928

Source: unknown

DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: zwei.exe.0.dr	String found in binary or memory: http://192.168.0.188:9011/mon?monNo=
Source: zwei.exe.0.dr	String found in binary or memory: http://j32303f290.zicp.vip:9011/imageszt/
Source: zwei.exe.0.dr	String found in binary or memory: http://www.Jewsys.com
Source: zwei.exe.0.dr	String found in binary or memory: http://www.zwei.com__vbaFailedFriend

Source: C:\Users\user\Desktop\zixing.exe

Code function: 0_2_00DE7165: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00DE7165

Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DF65B6	0_2_00DF65B6
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DE8525	0_2_00DE8525
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DE404E	0_2_00DE404E
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DF702F	0_2_00DF702F
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DEE1E0	0_2_00DEE1E0
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E00146	0_2_00E00146
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DE326D	0_2_00DE326D
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E0457A	0_2_00E0457A
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E0055E	0_2_00E0055E
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DE27D4	0_2_00DE27D4
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DEE7E0	0_2_00DEE7E0
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E047A9	0_2_00E047A9
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DF3731	0_2_00DF3731
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DEF8A8	0_2_00DEF8A8
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DF69EB	0_2_00DF69EB
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DF39AC	0_2_00DF39AC
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E00993	0_2_00E00993
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E0CA20	0_2_00E0CA20
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DF5BE7	0_2_00DF5BE7
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DF3CDD	0_2_00DF3CDD
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DEEC54	0_2_00DEEC54
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DFFC4A	0_2_00DFFC4A
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E00DC8	0_2_00E00DC8
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DEDDAC	0_2_00DEDDAC
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DEBD53	0_2_00DEBD53
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E0CECE	0_2_00E0CECE
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E10FD4	0_2_00E10FD4
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DE5F0C	0_2_00DE5F0C

Source: C:\Users\user\Desktop\zixing.exe	Code function: String function: 00DFE1C0 appears 52 times
Source: C:\Users\user\Desktop\zixing.exe	Code function: String function: 00DFE0E4 appears 35 times
Source: C:\Users\user\Desktop\zixing.exe	Code function: String function: 00DFEB60 appears 31 times

Source: zixing.exe, 00000000.00000003.1235618538.00000000077D4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamezwei.exe vs zixing.exe

Source: zixing.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: zwei.exe.0.dr

Binary or memory string: *\AD:\AAcode\sjgc-zx\code\zwei.vbp

Source: classification engine

Classification label: clean8.winEXE@1/6@1/0

Source: C:\Users\user\Desktop\zixing.exe

Code function: 0_2_00DE6E5E GetLastError,FormatMessageW,

0_2_00DE6E5E

Source: C:\Users\user\Desktop\zixing.exe

Code function: 0_2_00DF9D9A FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00DF9D9A

Source: C:\Users\user\Desktop\zixing.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6141312

Jump to behavior

Source: C:\Users\user\Desktop\zixing.exe	Command line argument: q	0_2_00DFD42A
Source: C:\Users\user\Desktop\zixing.exe	Command line argument: sfxname	0_2_00DFD42A
Source: C:\Users\user\Desktop\zixing.exe	Command line argument: sfxstime	0_2_00DFD42A
Source: C:\Users\user\Desktop\zixing.exe	Command line argument: STARTDLG	0_2_00DFD42A
Source: C:\Users\user\Desktop\zixing.exe	Command line argument: pZ	0_2_00DFD42A

Source: zixing.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\zixing.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\zixing.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\zixing.exe

File read: C:\Users\user\Desktop\zixing.exe

Jump to behavior

Source: C:\Users\user\Desktop\zixing.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\zixing.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: zixing.exe

Static file information: File size 3412029 > 1048576

Source: zixing.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: zixing.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: zixing.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: zixing.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: zixing.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: zixing.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: zixing.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: zixing.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: zixing.exe

Source: zixing.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: zixing.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: zixing.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: zixing.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: zixing.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\zixing.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6141312

Jump to behavior

Source: zixing.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DFE0E4 push eax; ret		0_2_00DFE102
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DFEBA6 push ecx; ret		0_2_00DFEBB9

Source: C:\Users\user\Desktop\zixing.exe

File created: C:\Users\user\Desktop\update\zwei.exe

Jump to dropped file

Source: C:\Users\user\Desktop\zixing.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\update\zwei.exe

Jump to dropped file

Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DEA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00DEA534
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DFB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00DFB820
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E0A928 FindFirstFileExA,	0_2_00E0A928

Source: C:\Users\user\Desktop\zixing.exe

Code function: 0_2_00DFDBC8 VirtualQuery,GetSystemInfo,

0_2_00DFDBC8

Source: C:\Users\user\Desktop\zixing.exe

API call chain: ExitProcess graph end node

graph_0-23646

Source: C:\Users\user\Desktop\zixing.exe

Code function: 0_2_00E084EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E084EF

Source: C:\Users\user\Desktop\zixing.exe

Code function: 0_2_00E07363 mov eax, dword ptr fs:[00000030h]

0_2_00E07363

Source: C:\Users\user\Desktop\zixing.exe

Code function: 0_2_00E0B610 GetProcessHeap,

0_2_00E0B610

Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DFF07B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00DFF07B
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00E084EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E084EF
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DFED65 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DFED65
Source: C:\Users\user\Desktop\zixing.exe	Code function: 0_2_00DFEEB3 SetUnhandledExceptionFilter,	0_2_00DFEEB3

Source: C:\Users\user\Desktop\zixing.exe

Code function: 0_2_00DFEBBB cpuid

0_2_00DFEBBB

Source: C:\Users\user\Desktop\zixing.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00DFA5BC

Source: C:\Users\user\Desktop\zixing.exe

Code function: 0_2_00DFD42A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00DFD42A

Source: C:\Users\user\Desktop\zixing.exe

Code function: 0_2_00DEAC35 GetVersionExW,

0_2_00DEAC35

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zixing.exe	8%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.zwei.com__vbaFailedFriend	0%	Avira URL Cloud	safe
http://j32303f290.zicp.vip:9011/imageszt/	0%	Avira URL Cloud	safe
http://192.168.0.188:9011/mon?monNo=	0%	Avira URL Cloud	safe
http://www.Jewsys.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
206.23.85.13.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.zwei.com__vbaFailedFriend	zwei.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://192.168.0.188:9011/mon?monNo=	zwei.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://j32303f290.zicp.vip:9011/imageszt/	zwei.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.Jewsys.com	zwei.exe.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467146
Start date and time:	2024-07-03 18:52:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zixing.exe
Detection:	CLEAN
Classification:	clean8.winEXE@1/6@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 115 Number of non-executed functions: 89
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: zixing.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\Desktop\update\ORDERSEC_STYLETWO.rpt

Download File

Process:	C:\Users\user\Desktop\zixing.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, Code page: 936, Revision Number: 111, Total Editing Time: 2d+02:43:02, Last Printed: Fri Dec 29 07:07:46 2006, Last Saved Time/Date: Mon Jul 1 17:09:37 2024, Create Time/Date: Thu Jul 21 09:56:11 2005, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	7.959311950433979
Encrypted:	false
SSDEEP:	12288:eI3Cmjy5p/orBe5zrYlnQCJ+cQ9RO6hG9HR9+9g7+xYS:eeZWzrkQCKsjgCS
MD5:	23DEA8F594BC8FEAE6E9156203A02708
SHA1:	822F785F0009E8981D7068AF0A1E99C019EF259E
SHA-256:	C9A3351052D7570E950EBA7BC9D1414816969FA94718E51952B2C72647A21A37
SHA-512:	19694F2DCF128CC4BC602F6698E1F96C4C939E1326C62313E3CA84CF2119E148AD82DADDD9EEDFA8C99BAE1315EAC4DE89F5A5A12E5CB6008946918E604F9649
Malicious:	false
Reputation:	low
Preview:	......................>...................................................1...3...4...5...6...7...8...9...:...................................................................................................................................................................................................................................................................................................................................................................................................................................M.....og.............!e..?.JsG....U/Q...\..0e^.[......6.t...9l.l..>.....Z.y.P{.(._..D1.o..^..:..k....&..b..m]..i)..M..=.T..uA`S....yq..GbS...H.o.O$1........}.....fE..y4.:..._.V.3..._..3..~..#`Bx~.7U......l....eE.......uQo....,...w..^Q..q.._.Pm.p.[=A@<...../.......t...n.3.Z....[..S/...E...N.B..z:..^.,k....z9..i.....k-{..t!.UJ.w.>#./..].[.........mT....3O.o@..`..A.Z......*>..s..-.2.."\..TY...O.7.......M..,.L.$..8..+t(...VJ.....n..N..k......k{.....

C:\Users\user\Desktop\update\daysum.rpt

Download File

Process:	C:\Users\user\Desktop\zixing.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 52, Total Editing Time: 1d+04:51:03, Last Saved Time/Date: Mon Jul 1 18:57:42 2024, Create Time/Date: Wed Jul 24 13:49:08 2013, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	7.587972873766493
Encrypted:	false
SSDEEP:	768:baT0M3XuAs99crgwLO/7JdiKzJjtAX5O3JR/9gCOOiYF:bT01NrgwLUVdiKzTF5mYF
MD5:	8B7404CF4C5C3E2583DDECE4C87A18EA
SHA1:	0CF2AD6182B51E3ECEF60F42DA420C341D258272
SHA-256:	C98E2086D136A54A57B7DF00DF21C6B07E68EAF762E779C9C33ED0E52FE78E8F
SHA-512:	F393030E33A62448401094C409DE556DC238A09FEB6B791140ED06797FF63E5E25F9223A0D1492AE2B919EE0D57F7370C75C501817444D500F764177D982BE79
Malicious:	false
Reputation:	low
Preview:	......................>.......................;...........................%...................................................................................................................................................................................................................................................................................................................................................................................................................................................S.u.b.d.o.c.u.m.e.n.t. .1.............................................................................L+....P.N+................C.o.n.t.e.n.t.s.....................................................................................................E...........Q.E.S.e.s.s.i.o.n...................................................................................................%...........S.u.b.d.o.c.u.m.e.n.t. .2...........................................................................p.N+

C:\Users\user\Desktop\update\daysum2.rpt

Download File

Process:	C:\Users\user\Desktop\zixing.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 19, Total Editing Time: 16:25, Last Saved Time/Date: Wed May 29 09:25:10 2024, Create Time/Date: Wed Apr 8 13:58:23 2020, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	6.498638783306207
Encrypted:	false
SSDEEP:	96:ZalyUma/zo6AsNOaPi0pVMi5KVVeQK/JZLiyrSiVZqPFEyRhs7w6z9tpdlShY:k2SAyOO2smaCwStPayRGTPpdlS
MD5:	306562DD9CF2CC4539507B6CBA81182A
SHA1:	98D99513D3F669B9CF33BC3CCA0B69FDB6924664
SHA-256:	11EC710D15539B1D5AFDA527F3EC20F774B96482E757DFEC88C95D005E227BAE
SHA-512:	EE3DDEAD0B547712A478FB7A555F5B947B20BFDB9138B672A6EBBBFC07CAFFA02F1E37C6B48DA548428F46B98E25365596B21DB03CB59A020263112B9B37B1D9
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\dayxxb.rpt

Download File

Process:	C:\Users\user\Desktop\zixing.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 26, Total Editing Time: 03:35:50, Last Saved Time/Date: Mon May 20 03:14:50 2024, Create Time/Date: Thu Jan 7 12:31:14 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	7.385129249500767
Encrypted:	false
SSDEEP:	384:skgjdFJbR5F3FJb0ARYP2qAk4pOrg0QPwqW:D8XP1+AR/Lk48U0Q4f
MD5:	7A71318019DAFD5A615ADD2F4F096DB4
SHA1:	BFA560750CCC886079C0F0EA2FDF7FEAA980CAEA
SHA-256:	690860D27FA2559B05EE17D6A575729C133F1E6E53A7162F1342A9A176EA0690
SHA-512:	BCB7AF01CAE257713CBFD85ABD6BE64C20221BCCFDFC2FCC51D70DD5729F58F90AD713ECD1D3A757C5499D38B7036E2F6165110A6D8FFF18DD4C2E62D5022DA3
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................m...................}>4!...Dc.B.../...y..L..k.....Yt.o+.!.s:.@.D!..v6...ax.&.V..Z.K..C.7b.m?.4..D3......u.3sv49......@i.d....}..i.....J."..p.)...2.vM.T.]../....6.-...{C....5.$nX...L4....h.g.}9_Y........M1...).Fn...x..Jy..._.o.<Iv.Wpo.<}...g=.<..v.U....].6.(..b.oq\.q.w6/#.is.F..[\..^.Pi..=.~....4v..f..O.$....gZ.....}.s.+..y..TMk8.]..%...i.p^.h..I..g..f...TW........i.P....r./I$+.6 FJv.Y.*.LR..P[X...^7I8o.B..\|I".+?y..T......Oo.v%..3q...%]...d?x

C:\Users\user\Desktop\update\metalout_style1.rpt

Download File

Process:	C:\Users\user\Desktop\zixing.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, Code page: 936, Revision Number: 41, Total Editing Time: 18:22:50, Last Saved Time/Date: Fri Apr 12 09:23:35 2024, Create Time/Date: Tue Dec 13 14:17:25 2005, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	7.085862073119776
Encrypted:	false
SSDEEP:	192:K8st5H9LMDOESQX60DVN/Q/sHXRvRLJVLPkYlEq:ba9LMDOO6bsHBvFJFsp
MD5:	4A169682150EE51D3DD6164B2EC8E8AF
SHA1:	7EAD6E8B40DC34056CE1143EF4558C6754D2A3ED
SHA-256:	C4492256327567F7D42C96B97293B7C68D524F15E54B6CFA3DEA69444978B22E
SHA-512:	A5B13BD02E54EE5B79E59EC7B6CE5272A456AB23C3011E976BA09707CE1046FABE836F8AD20E79CE115F04493CEFD659E33EF3CEA9D3503F97024D00AC776BCB
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\zwei.exe

Download File

Process:	C:\Users\user\Desktop\zixing.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	42930176
Entropy (8bit):	6.346533079717716
Encrypted:	false
SSDEEP:	786432:RYfDmTFvlTTKgwsSGuxtg7HB6Jw+gNwOdtRLzAjcY:RYfDmTFvlTTKgwsSGuxtg7HBVwOdtRLQ
MD5:	E70E3595B4452BB290759EBB2BB1638D
SHA1:	7A409E51E9FD3FE255FD4A7E0C3C0071B1AC2250
SHA-256:	7A375A5922E38726EC778F0B3587E4AFB185F18E4B6394F5418AA1A8D7B65061
SHA-512:	F00CC4208F246AAA434DD68E6206BC9403D0B5AAB098A9BA8F8311B88AD38826FD84C9D68F819896A1C54B393878C6F72A5EF6904E564D058840C6F8AFB228FE
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..A..A....@..(..2......@..RichA..........PE..L......f............................@.............@.......................................................................D...(....@..D1..................................................................(... ....................................text............................. ..`.data....\|..........................@....rsrc...D1...@...@.................@..@l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9669293372469125
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zixing.exe
File size:	3'412'029 bytes
MD5:	4d35a83ceaada68b77334f26d7cb3f77
SHA1:	70b6cf7e98e3a8696a91c59ce0ed65bce41c2749
SHA256:	f7ef51b598dc9640454122ba1bcdb7fb62cee20ac510e5359e0be0178a65a574
SHA512:	26e46005ddca00b4502a5571ce02d54350dddea465e34b5b8cb2c3a02a4f215fcab76834a5977a3c5d93cefcb0318a72aba20e401632bd08599d825896eaa29e
SSDEEP:	49152:ML+gDreEEszqLF3jP9cqxbnvnB6GuY2HzwKYav/KarnXLplfePWKwaNYOzP:MCguWm53jVHdvnQGuZH6+K8Xll1K7TP
TLSH:	4DF53343F5C29832C5311535AA2E97226ABA6D301F058BEFB3F8551DAE711E0F1267B2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41ea80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5EF47EA0 [Thu Jun 25 10:38:24 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007FF39CE4F719h
jmp 00007FF39CE4F11Dh
cmp ecx, dword ptr [0043D668h]
jne 00007FF39CE4F295h
ret
jmp 00007FF39CE4F89Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF39CE42147h
mov dword ptr [esi], 00434560h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00434568h
mov dword ptr [ecx], 00434560h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 00434548h
push eax
call 00007FF39CE52437h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FF39CE4F29Ch
push 0000000Ch
push esi
call 00007FF39CE4E864h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FF39CE420C2h
push 0043A6A4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FF39CE51B36h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FF39CE4F218h
push 0043A8FCh
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FF39CE51B19h
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3b800	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b834	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0xd470	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x70000	0x2264	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39aa0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x344e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3ada4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30f2a	0x31000	3c04cde3cc3b72af7b1e5a35b06420dc	False	0.5837751116071429	data	6.704420140465974	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0xa5f2	0xa600	760372d2370342e64378d3e8b917ae32	False	0.457996046686747	data	5.259297003766902	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x23720	0x1000	27d251ff3aec1bff309011eb004804f1	False	0.367431640625	data	3.705679035284865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x61000	0x188	0x200	da0d4a9d1bf535265b1265ced51650f2	False	0.443359375	data	3.299508867679483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x62000	0xe000	0xd600	c5a64c45000bc269db36337ed1eb70ad	False	0.662985543224299	data	6.816927801960148	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x70000	0x2264	0x2400	df2e025914d3601fca48e85a4d0106df	False	0.7727864583333334	data	6.556746947659253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x62644	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	Chinese	China	1.0027729636048528
PNG	0x6318c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	Chinese	China	0.9363390441839495
RT_ICON	0x64738	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	Chinese	China	0.47832369942196534
RT_ICON	0x64ca0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	Chinese	China	0.5410649819494585
RT_ICON	0x65548	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	Chinese	China	0.4933368869936034
RT_ICON	0x663f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	Chinese	China	0.5390070921985816
RT_ICON	0x66858	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	Chinese	China	0.41393058161350843
RT_ICON	0x67900	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	Chinese	China	0.3479253112033195
RT_ICON	0x69ea8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9809269502193401
RT_DIALOG	0x6dc1c	0x18e	data	Chinese	China	0.6984924623115578
RT_DIALOG	0x6ddac	0xee	data	Chinese	China	0.6974789915966386
RT_DIALOG	0x6de9c	0xd2	data	Chinese	China	0.7285714285714285
RT_DIALOG	0x6df70	0x112	data	Chinese	China	0.6423357664233577
RT_DIALOG	0x6e084	0x29e	data	Chinese	China	0.5119402985074627
RT_DIALOG	0x6e324	0x1e6	data	Chinese	China	0.6646090534979424
RT_STRING	0x6e50c	0xb6	data	Chinese	China	0.7472527472527473
RT_STRING	0x6e5c4	0xd6	data	Chinese	China	0.6962616822429907
RT_STRING	0x6e69c	0xbc	data	Chinese	China	0.776595744680851
RT_STRING	0x6e758	0x74	data	Chinese	China	0.9137931034482759
RT_STRING	0x6e7cc	0x282	data	Chinese	China	0.632398753894081
RT_STRING	0x6ea50	0x94	data	Chinese	China	0.777027027027027
RT_STRING	0x6eae4	0x88	data	Chinese	China	0.8676470588235294
RT_STRING	0x6eb6c	0x7c	data	Chinese	China	0.7096774193548387
RT_STRING	0x6ebe8	0x52	data	Chinese	China	0.8780487804878049
RT_STRING	0x6ec3c	0x78	data	Chinese	China	0.75
RT_GROUP_ICON	0x6ecb4	0x68	data	Chinese	China	0.7019230769230769
RT_MANIFEST	0x6ed1c	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 18:53:34.415323019 CEST	53	58213	162.159.36.2	192.168.2.7
Jul 3, 2024 18:53:34.893450975 CEST	59002	53	192.168.2.7	1.1.1.1
Jul 3, 2024 18:53:34.902771950 CEST	53	59002	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 18:53:34.893450975 CEST	192.168.2.7	1.1.1.1	0x30dc	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 18:53:34.902771950 CEST	1.1.1.1	192.168.2.7	0x30dc	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	12:52:58
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\zixing.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zixing.exe"
Imagebase:	0xde0000
File size:	3'412'029 bytes
MD5 hash:	4D35A83CEAADA68B77334F26D7CB3F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.6%
Total number of Nodes:	1433
Total number of Limit Nodes:	27

Executed Functions

Function 00DFD42A Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DF002D: GetModuleHandleW.KERNEL32(kernel32), ref: 00DF0042
Part of subcall function 00DF002D: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00DF0054
Part of subcall function 00DF002D: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00DF0085

Part of subcall function 00DF9D58: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00DF9D60

Part of subcall function 00DFA2B3: OleInitialize.OLE32(00000000), ref: 00DFA2CC
Part of subcall function 00DFA2B3: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00DFA303
Part of subcall function 00DFA2B3: SHGetMalloc.SHELL32(00E27430), ref: 00DFA30D

Part of subcall function 00DF130F: GetCPInfo.KERNEL32(00000000,?), ref: 00DF1320
Part of subcall function 00DF130F: IsDBCSLeadByte.KERNEL32(00000000), ref: 00DF1334

GetCommandLineW.KERNEL32 ref: 00DFD472
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00DFD499
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00DFD4AA
UnmapViewOfFile.KERNEL32(00000000), ref: 00DFD4E4

Part of subcall function 00DFD104: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00DFD11A
Part of subcall function 00DFD104: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00DFD156

CloseHandle.KERNEL32(00000000), ref: 00DFD4ED
GetModuleFileNameW.KERNEL32(00000000,00E3CC88,00000800), ref: 00DFD508
SetEnvironmentVariableW.KERNEL32(sfxname,00E3CC88), ref: 00DFD514
GetLocalTime.KERNEL32(?), ref: 00DFD51F
_swprintf.LIBCMT ref: 00DFD55E
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00DFD570
GetModuleHandleW.KERNEL32(00000000), ref: 00DFD577
LoadIconW.USER32(00000000,00000064), ref: 00DFD58E
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AE20,00000000), ref: 00DFD5DF
Sleep.KERNEL32(?), ref: 00DFD60D
DeleteObject.GDI32 ref: 00DFD646
DeleteObject.GDI32(?), ref: 00DFD656
CloseHandle.KERNEL32 ref: 00DFD699

Strings

q, xrefs: 00DFD452
sfxstime, xrefs: 00DFD56B
winrarsfxmappingfile.tmp, xrefs: 00DFD48D
STARTDLG, xrefs: 00DFD5D4
pZ, xrefs: 00DFD621
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00DFD54F
sfxname, xrefs: 00DFD50F
C:\Users\user\Desktop, xrefs: 00DFD43F

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$pZ$sfxname$sfxstime$winrarsfxmappingfile.tmp$q
API String ID: 788466649-2019828027
Opcode ID: 82f8e15d5cd5901177356e36950c09e4dcafc7321f0d23fb9dd17b4c32838e49
Instruction ID: 0dcdfef25c6a2f8e833a76d43ca62c1faf82cceca0080ff42f8d384cf8b401dc
Opcode Fuzzy Hash: 82f8e15d5cd5901177356e36950c09e4dcafc7321f0d23fb9dd17b4c32838e49
Instruction Fuzzy Hash: 0A61C771904348AFD320BF76EC49B7B7BAEEB45700F058029F749B22A1DA749949C771

Function 00DF9D9A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(00DFAD89,PNG,?,?,?,00DFAD89,00000066), ref: 00DF9DAC
SizeofResource.KERNEL32(00000000,00000000,?,?,?,00DFAD89,00000066), ref: 00DF9DC4
LoadResource.KERNEL32(00000000,?,?,?,00DFAD89,00000066), ref: 00DF9DD7
LockResource.KERNEL32(00000000,?,?,?,00DFAD89,00000066), ref: 00DF9DE2
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00DFAD89,00000066), ref: 00DF9E00
GlobalLock.KERNEL32(00000000,?,?,?,?,?,00DFAD89,00000066), ref: 00DF9E11
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00DF9E7A
GlobalUnlock.KERNEL32(00000000), ref: 00DF9E99
GlobalFree.KERNEL32(00000000), ref: 00DF9EA0

Strings

PNG, xrefs: 00DF9D9D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: 7d709ab7bd4de9cd2bcf431b6ea26c76ef9553b4281322d76ca0f99d0ce5da94
Instruction ID: 7d67ed2998cd60af991c7a6b4564d62b93b0478241723ce25c9cd73808c7cc63
Opcode Fuzzy Hash: 7d709ab7bd4de9cd2bcf431b6ea26c76ef9553b4281322d76ca0f99d0ce5da94
Instruction Fuzzy Hash: 62318471A01309AFC711DF22DC58A6BBFA9FF8575071A8528FB05A2220DB71DC14CB70

Function 00DEA534 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00DEA42F,000000FF,?,?), ref: 00DEA568
FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00DEA42F,000000FF,?,?), ref: 00DEA59E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00DEA42F,000000FF,?,?), ref: 00DEA5AA
FindNextFileW.KERNEL32(?,?,?,?,?,?,00DEA42F,000000FF,?,?), ref: 00DEA5D2
GetLastError.KERNEL32(?,?,?,?,00DEA42F,000000FF,?,?), ref: 00DEA5DE

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: f52a749ed2dc27ba1a9b3ac2a8c322a6f21b434afebaea5467e25c767cd7664f
Instruction ID: 78ef5bbcc702d84eca00a501767aa5d75f7384c34bb67fd1ce1d0951a2ca95d4
Opcode Fuzzy Hash: f52a749ed2dc27ba1a9b3ac2a8c322a6f21b434afebaea5467e25c767cd7664f
Instruction Fuzzy Hash: F3418776504682AFC324EF69CC84ADAF7E8FF48350F054A29F699D3140D734B954CB62

Function 00E07363 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00E07339,?,00E1AAB8,0000000C,00E07490,?,00000002,00000000), ref: 00E07384
TerminateProcess.KERNEL32(00000000,?,00E07339,?,00E1AAB8,0000000C,00E07490,?,00000002,00000000), ref: 00E0738B
ExitProcess.KERNEL32 ref: 00E0739D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9c71c60362c681fe24a7d26489c7a26bb7e7f21001ace1e655c693f903b4fc5f
Instruction ID: a570d578248e63db3e32c0b62e92e29186d6427c83606c0b5df1f1e1a43fed92
Opcode Fuzzy Hash: 9c71c60362c681fe24a7d26489c7a26bb7e7f21001ace1e655c693f903b4fc5f
Instruction Fuzzy Hash: 31E0863140020CAFDF016F11DD089883B69EF04381F009014FE897A171CB39EC91DB50

Function 00DE8525 Relevance: 3.9, APIs: 2, Instructions: 945COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE852A
_memcmp.LIBVCRUNTIME ref: 00DE89B2

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: 86dc8bd7eaa5a2993d4ad443a985c2820d50423bbd91920a4e52889349378a5c
Instruction ID: bc3f58f39545795838397af8b766c309db38383c5644108187451f70f25e21c0
Opcode Fuzzy Hash: 86dc8bd7eaa5a2993d4ad443a985c2820d50423bbd91920a4e52889349378a5c
Instruction Fuzzy Hash: 228209709042C5AEDF25EB66C895BFAB7B9BF15300F0C41BAE84D9B182DB315A44DB70

Function 00DF65B6 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f615dab41c66011d2439e4af8fcd3f33768372f5887fed93e22c81073cd8b4b6
Instruction ID: e748bddaabee7ad73e1d2747c90ec40994239dd06cd0103db0dbcb8b7550d7a5
Opcode Fuzzy Hash: f615dab41c66011d2439e4af8fcd3f33768372f5887fed93e22c81073cd8b4b6
Instruction Fuzzy Hash: A5D11AB16043498FDB14DF28C84077BBBE0EF55308F09856DEA849BA42D774E954CBB6

Function 00DF002D Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00DF0042
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00DF0054
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00DF0085
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00DF0332
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF034E
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DF0360
ReadFile.KERNEL32(00000000,?,00007FFE,00E12BA4,00000000), ref: 00DF037F
CloseHandle.KERNEL32(00000000), ref: 00DF03D7
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00DF03ED
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00DF0445
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00DF046E
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00DF04A8

Part of subcall function 00DEFFE3: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DEFFFE
Part of subcall function 00DEFFE3: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DEEAC6,Crypt32.dll,00000000,00DEEB4A,?,?,00DEEB2C,?,?,?), ref: 00DF0020

_swprintf.LIBCMT ref: 00DF051C
_swprintf.LIBCMT ref: 00DF0568

Part of subcall function 00DE3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE3FE9

AllocConsole.KERNEL32 ref: 00DF0570
GetCurrentProcessId.KERNEL32 ref: 00DF057A
AttachConsole.KERNEL32(00000000), ref: 00DF0581
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00DF05A7
WriteConsoleW.KERNEL32(00000000), ref: 00DF05AE
Sleep.KERNEL32(00002710), ref: 00DF05B9
FreeConsole.KERNEL32 ref: 00DF05BF
ExitProcess.KERNEL32 ref: 00DF05C7

Strings

`-, xrefs: 00DF015A
dwmapi.dll, xrefs: 00DF04DF
uxtheme.dll, xrefs: 00DF04E9
(., xrefs: 00DF019A
(0, xrefs: 00DF0281
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00DF0556
x-, xrefs: 00DF0162
X0, xrefs: 00DF0297
\1, xrefs: 00DF0305
01, xrefs: 00DF02EF
</, xrefs: 00DF0213
8,, xrefs: 00DF00F2
SetDllDirectoryW, xrefs: 00DF004E
X., xrefs: 00DF01B0
p0, xrefs: 00DF02A2
SetDefaultDllDirectories, xrefs: 00DF007F
/, xrefs: 00DF0260
@., xrefs: 00DF01A5
,, xrefs: 00DF00EA
l,, xrefs: 00DF04BA
DXGIDebug.dll, xrefs: 00DF00C7, 00DF0431
D1, xrefs: 00DF02FA
4-, xrefs: 00DF014A
@0, xrefs: 00DF028C
D-, xrefs: 00DF0152
p., xrefs: 00DF01BB
T+, xrefs: 00DF00B2
|,, xrefs: 00DF010A
kernel32, xrefs: 00DF003B
/, xrefs: 00DF0208
p/, xrefs: 00DF0229
., xrefs: 00DF01E7
T/, xrefs: 00DF021E
P,, xrefs: 00DF00FA

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: ,$ /$(.$(0$01$4-$8,$</$@.$@0$D-$D1$DXGIDebug.dll$P,$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T+$T/$X.$X0$\1$`-$dwmapi.dll$kernel32$l,$p.$p/$p0$uxtheme.dll$x-$|,$.$/
API String ID: 1201351596-127734601
Opcode ID: d9b7e5ee25c0ed4597a42c8db83c94b6f01344d9ec6c6b8bd806123add79d89d
Instruction ID: a562b3f44bfec3aef8af9e450dad54e968ca240eaa438bbda5417203c1a42e98
Opcode Fuzzy Hash: d9b7e5ee25c0ed4597a42c8db83c94b6f01344d9ec6c6b8bd806123add79d89d
Instruction Fuzzy Hash: 30D160B11083849BD7219F61DC4ABDFBAE8EBC9704F50591CF789B6151CBB08698CB62

Function 00DFAE20 Relevance: 97.0, APIs: 46, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DFAE25

Part of subcall function 00DE130B: GetDlgItem.USER32(00000000,00003021), ref: 00DE134F
Part of subcall function 00DE130B: SetWindowTextW.USER32(00000000,00E125B4), ref: 00DE1365

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 00DFB1C1
LICENSEDLG, xrefs: 00DFB6B1
winrarsfxmappingfile.tmp, xrefs: 00DFB1FC
STARTDLG, xrefs: 00DFAE44
<, xrefs: 00DFB1DA
ht, xrefs: 00DFB21F
"%s"%s, xrefs: 00DFB363
@, xrefs: 00DFB1E7
__tmp_rar_sfx_access_check_%u, xrefs: 00DFB10B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$ht$winrarsfxmappingfile.tmp
API String ID: 810644672-3593360542
Opcode ID: 98cff9d7b2e48763feb600c9c75e72afe71527510a1ff94e05042fb3d9f09f98
Instruction ID: cb064630ea6a621f514fe5ffee495759cc6fc4769aeb8cbba45d3e0a2430e079
Opcode Fuzzy Hash: 98cff9d7b2e48763feb600c9c75e72afe71527510a1ff94e05042fb3d9f09f98
Instruction Fuzzy Hash: 6D42D67094434CAEEB21ABA2DC4AFBE7B78EB02710F058055F745B61D1CB754989CB32

Function 00DED281 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00DED286
_wcschr.LIBVCRUNTIME ref: 00DED2A7
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00DED268,?), ref: 00DED2C2
__fprintf_l.LIBCMT ref: 00DED7B3

Part of subcall function 00DF12D6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00DEB592,00000000,?,?,?,0001043C), ref: 00DF12F2

Strings

, xrefs: 00DED5BA
RTL, xrefs: 00DED778
$), xrefs: 00DED5EF
$%s:, xrefs: 00DED796
@%s:, xrefs: 00DED79D, 00DED7A9
*messages***, xrefs: 00DED3DA
*messages***, xrefs: 00DED413
,, xrefs: 00DED7EE
a, xrefs: 00DED42F
R, xrefs: 00DED425

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$$)$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-664227043
Opcode ID: 9d7b7b3b22ce874d0a3b4585a8d8f3d2980f5259a82e08a45124b3ffdc2c5388
Instruction ID: 387d6547c986a1516d52759fd746cc1b3720cb9855ced32ba591f61b2f2f3983
Opcode Fuzzy Hash: 9d7b7b3b22ce874d0a3b4585a8d8f3d2980f5259a82e08a45124b3ffdc2c5388
Instruction Fuzzy Hash: 5E12BF719002899EDF25EFA5DC81BEEB7B6FF44300F54446AE506B7281EB709A84CB74

Function 00DFC9E2 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DFABC4: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFABD5
Part of subcall function 00DFABC4: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFABE6
Part of subcall function 00DFABC4: IsDialogMessageW.USER32(0001043C,?), ref: 00DFABFA
Part of subcall function 00DFABC4: TranslateMessage.USER32(?), ref: 00DFAC08
Part of subcall function 00DFABC4: DispatchMessageW.USER32(?), ref: 00DFAC12

GetDlgItem.USER32(00000068,00E3DCA8), ref: 00DFC9F6
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00DFA5B2), ref: 00DFCA1E
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DFCA29
SendMessageW.USER32(00000000,000000C2,00000000,00E125B4), ref: 00DFCA37
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DFCA4D
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00DFCA67
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DFCAAB
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00DFCAB9
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DFCAC8
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DFCAEF
SendMessageW.USER32(00000000,000000C2,00000000,00E1331C), ref: 00DFCAFE

Strings

\, xrefs: 00DFCA57

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: c2afdd645b2f5a7f912f8f2051e3d338c4ba2dc7afed9a6888e98e8e637a67ea
Instruction ID: 709abfdea0f21d37fa1a5395d265e94f227e9172363cb364459fe99aa9749aa9
Opcode Fuzzy Hash: c2afdd645b2f5a7f912f8f2051e3d338c4ba2dc7afed9a6888e98e8e637a67ea
Instruction Fuzzy Hash: 38313475145385BFD311DF21DC4AFAB7FACEB42304F000508F690A6191DBA5598A8777

Function 00E09ED8 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E04DDB,00E04DDB,?,?,?,00E0A129,00000001,00000001,7FE85006), ref: 00E09F32
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E0A129,00000001,00000001,7FE85006,?,?,?), ref: 00E09FB8
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,7FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E0A0B2
__freea.LIBCMT ref: 00E0A0BF

Part of subcall function 00E08398: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E03866,?,0000015D,?,?,?,?,00E04D42,000000FF,00000000,?,?), ref: 00E083CA

__freea.LIBCMT ref: 00E0A0C8
__freea.LIBCMT ref: 00E0A0ED

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a6bdf27248f9cd39033b6b244c52509308f41d4cae59cdae84fc1c67787ae53f
Instruction ID: eaa556a7f706384514ed79de0f8ef46c5b181e40fa6820afe395dcc07aaf424a
Opcode Fuzzy Hash: a6bdf27248f9cd39033b6b244c52509308f41d4cae59cdae84fc1c67787ae53f
Instruction Fuzzy Hash: 0F51AD7261031EAEEB258F64CC41EBF77A9EB44754F195638F904F7181EB34EC8086A2

Function 00DE9950 Relevance: 7.6, APIs: 5, Instructions: 116
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00DE7886,?,00000005,?,00000011), ref: 00DE99EC
GetLastError.KERNEL32(?,?,00DE7886,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DE99F9
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,00DE7886,?,00000005,?), ref: 00DE9A2E
GetLastError.KERNEL32(?,?,00DE7886,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DE9A36
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00DE7886,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DE9A7B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: a94b102a46d688b2af52a8a16d259ded396a5cb1168d7b2a9fb5fbd5f9d2fc7e
Instruction ID: 41253d0f6a36c4255d155918600bbc6bad5b9c1900e714032979404c744222e3
Opcode Fuzzy Hash: a94b102a46d688b2af52a8a16d259ded396a5cb1168d7b2a9fb5fbd5f9d2fc7e
Instruction Fuzzy Hash: B14133305457866FE720AF228C05BDAFBE0EF05324F144729F9A0961D1D7B5A898CBB1

Function 00DFABC4 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFABD5
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFABE6
IsDialogMessageW.USER32(0001043C,?), ref: 00DFABFA
TranslateMessage.USER32(?), ref: 00DFAC08
DispatchMessageW.USER32(?), ref: 00DFAC12

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: f3df7a6a98cc772fa7513e97999cb51c7b9db4b1e9dae549c5c44afc925a36da
Instruction ID: 16a2bbd87f26ccff15e24d40a366b712ee3115d91b80f7f3db0c8aa6df390a6c
Opcode Fuzzy Hash: f3df7a6a98cc772fa7513e97999cb51c7b9db4b1e9dae549c5c44afc925a36da
Instruction Fuzzy Hash: 9DF01D75A01269AF8F20ABE7EC4CDEB7F6CEF062917448055B919E2010E624D48AC7F0

Function 00DFA245 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00DFA25C
SHAutoComplete.SHLWAPI(?,00000010), ref: 00DFA293

Part of subcall function 00DF1708: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011708,00DEBA45,00000000,.exe,?,?,00000800,?,?,00DF854F,?), ref: 00DF171E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00DFA283

Strings

EDIT, xrefs: 00DFA267, 00DFA272, 00DFA27F

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: b9f00c15636e7201545ae4e67c03ab94882ea1700e0a56ef06228e6fd3acf374
Instruction ID: 89d9eb95d42a4bb19cf7d5f1d11f2358870134c4d2d5e30382ec7a9bcc5030fd
Opcode Fuzzy Hash: b9f00c15636e7201545ae4e67c03ab94882ea1700e0a56ef06228e6fd3acf374
Instruction Fuzzy Hash: 0CF05936B0031C7BDB30566A8C05FEF776C9B46B01F094056FE08B6180C3609986C5FA

Function 00DFA2B3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DEFFE3: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DEFFFE
Part of subcall function 00DEFFE3: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DEEAC6,Crypt32.dll,00000000,00DEEB4A,?,?,00DEEB2C,?,?,?), ref: 00DF0020

OleInitialize.OLE32(00000000), ref: 00DFA2CC
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00DFA303
SHGetMalloc.SHELL32(00E27430), ref: 00DFA30D

Strings

riched20.dll, xrefs: 00DFA2BB

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: abbfade142cf7066f53bbc96053dd471ce4043e70689d4f6bdc00c3752ab75c2
Instruction ID: 47f57ed45e7baafa9690b36e1dd2bf449cdce75e5fc4edcbf4ecd9e80c7cd824
Opcode Fuzzy Hash: abbfade142cf7066f53bbc96053dd471ce4043e70689d4f6bdc00c3752ab75c2
Instruction Fuzzy Hash: 55F04FB5D00209AFCB10AFAAD8499EFFFFCEF45304F00415AE914F2210CBB456498BA1

Function 00DFD104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00DFD11A
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00DFD156

Strings

sfxpar, xrefs: 00DFD151
sfxcmd, xrefs: 00DFD115

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 4edf13138d510f1bce9ee61e2d5ad04e9a434e2b114f028ee0467e057c559306
Instruction ID: 1e9a7554ae003de77650188042deaa7f94cbf501e8f4e705edaaa009bb04d982
Opcode Fuzzy Hash: 4edf13138d510f1bce9ee61e2d5ad04e9a434e2b114f028ee0467e057c559306
Instruction Fuzzy Hash: 66F0A7B290132CA6C7206FD69C09AFA775ADF0A741B018155FF48A6241D6618950E7F1

Function 00DEA1EB Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00DE808F,?,?,?), ref: 00DEA291
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00DE808F,?,?), ref: 00DEA2D5
SetFileTime.KERNELBASE(?,00000800,?,00000000,?,00000000,?,00DE808F,?,?,?,?,?,?,?,?), ref: 00DEA356
CloseHandle.KERNEL32(?,?,00000000,?,00DE808F,?,?,?,?,?,?,?,?,?,?,?), ref: 00DEA35D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 5fdff5922b1ca975686ae8b9db3d049337ebc3de9402c3ae3c2744590dd972b5
Instruction ID: 8bd7f4b0db6b32a0315da0b0933c26d90f298700b4f9bff9b24f054b447e87db
Opcode Fuzzy Hash: 5fdff5922b1ca975686ae8b9db3d049337ebc3de9402c3ae3c2744590dd972b5
Instruction Fuzzy Hash: 9941D2301483C69AD721EF69DC41BEABBE89B85700F08491DB6D0A31C1C665EA48DB73

Function 00DE97EE Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00DE97FE
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00DE9816
GetLastError.KERNEL32 ref: 00DE9848
GetLastError.KERNEL32 ref: 00DE9867

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: d4824831850b574d57367f24a21b89c0add29dea8eec31f7c2bd7e2861fd905d
Instruction ID: b5c7bdeb98b9f779079a50cfc48dc3e7d293df3f7f518b273c65f8e8d27aa7a8
Opcode Fuzzy Hash: d4824831850b574d57367f24a21b89c0add29dea8eec31f7c2bd7e2861fd905d
Instruction Fuzzy Hash: 95119430901244EFDB20AE52CC6466DB799FB06361F14C52AF59AD5170D734CD44EF71

Function 00E0A374 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00E036CF,00000000,00000000,?,00E0A31B,00E036CF,00000000,00000000,00000000,?,00E0A518,00000006,FlsSetValue), ref: 00E0A3A6
GetLastError.KERNEL32(?,00E0A31B,00E036CF,00000000,00000000,00000000,?,00E0A518,00000006,FlsSetValue,00E16328,00E16330,00000000,00000364,?,00E08EF7), ref: 00E0A3B2
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E0A31B,00E036CF,00000000,00000000,00000000,?,00E0A518,00000006,FlsSetValue,00E16328,00E16330,00000000), ref: 00E0A3C0

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 924056b6888a862e71ae31212c8589104b37d606fb21dbae7c1829c8ef8fb88f
Instruction ID: 3d7a1fcddfebe1d56d41b0ddcbc1a63e07476785e933d6f30be0d8d23b0709fa
Opcode Fuzzy Hash: 924056b6888a862e71ae31212c8589104b37d606fb21dbae7c1829c8ef8fb88f
Instruction Fuzzy Hash: BE01F73270132AAFC7218F69EC44A9E7B58AF157A27186635FA06F71C0D724D854C7E1

Function 00DF07E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00010930,?,00000000,00000000), ref: 00DF080B
SetThreadPriority.KERNEL32(?,00000000), ref: 00DF0852

Part of subcall function 00DE6E26: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE6E44

Strings

CreateThread failed, xrefs: 00DF0817

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 1d5078404e252865c25ffe2af58b93b45fb1039f339a454dd02b2fc4dd373a5a
Instruction ID: c278c654412aaad400796582c4a002b35636a933b47ab430e3c91bcae5512b43
Opcode Fuzzy Hash: 1d5078404e252865c25ffe2af58b93b45fb1039f339a454dd02b2fc4dd373a5a
Instruction Fuzzy Hash: DD0126B134430AAFD2207E54EC86BB23B99EB55752F21403DF785721C1CAE0AC85C6B0

Function 00DE9E6F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00DECBD4,00000001,?,?,?,00000000,00DF4E3D,?,?,?), ref: 00DE9E8C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00DF4E3D,?,?,?,?,?,00DF48E2,?), ref: 00DE9ECE
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00DECBD4,00000001,?,?), ref: 00DE9EF8

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 2f08b9952df8d6f02fb379694ef2ce35d82e9ef0dab52df0d65371c122c94a73
Instruction ID: 317b76550da92bb2f10f40b268902e3c38c0432ef76efe6d7f6fbcda3495dd2e
Opcode Fuzzy Hash: 2f08b9952df8d6f02fb379694ef2ce35d82e9ef0dab52df0d65371c122c94a73
Instruction Fuzzy Hash: BB31267020A3819BDB10EF25DC147AAFBA8EF90710F08465DF945AB191C770DC48CBB2

Function 00DEA147 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00DEA053,?,00000001,00000000,?,?), ref: 00DEA16E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00DEA053,?,00000001,00000000,?,?), ref: 00DEA1A1
GetLastError.KERNEL32(?,?,?,?,00DEA053,?,00000001,00000000,?,?), ref: 00DEA1BE

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 8aebc98ba4cb06285f1e65f4625a8457e5d88bd8383ee6e2329d975d8e94a534
Instruction ID: e9c80bd88c5e777948695fc35e4e328fb2b00fe13c1df8028bb1a627eb45b59f
Opcode Fuzzy Hash: 8aebc98ba4cb06285f1e65f4625a8457e5d88bd8383ee6e2329d975d8e94a534
Instruction Fuzzy Hash: 3D01B1315543D6AAEB21BA6F4C05BFE3359AF0A382F084446F941E6091D764F981E6B3

Function 00DEC767 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DEC76C
new.LIBCMT ref: 00DEC7AF
new.LIBCMT ref: 00DEC7D3

Part of subcall function 00DE6027: __EH_prolog.LIBCMT ref: 00DE602C

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c8f7bf5794a0f574d0dec6efb03120f1a04e647e69c8d3c0b7f101c10e3982cb
Instruction ID: e1b746df0ec13676ddd7e1fc9f41fdf2a1c0167a7c2ba3f097e12502c1dd953b
Opcode Fuzzy Hash: c8f7bf5794a0f574d0dec6efb03120f1a04e647e69c8d3c0b7f101c10e3982cb
Instruction Fuzzy Hash: 6D11E0B5A002889ADB10FBBAD5057AEBBE8DF94300F10446EF549D3242DBB49E00C772

Function 00E0AE73 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00E0AE98

Strings

, xrefs: 00E0AEDD

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: ec64657f9d42117d0425f60ea35663b9c6a78ad3c1d48179c6819f75b6de19bf
Instruction ID: 8e2b3dd1da61a6b6ef7fdadaca104cde4ed070db3911c6df058019c00fa9490f
Opcode Fuzzy Hash: ec64657f9d42117d0425f60ea35663b9c6a78ad3c1d48179c6819f75b6de19bf
Instruction Fuzzy Hash: 42412BB060434D9EDB21CE64CC84AF6BBE9DB45308F1854FDE58AA7182D235AAC5DF21

Function 00E0A5AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,7FE85006,00000001,?,000000FF), ref: 00E0A61D

Strings

LCMapStringEx, xrefs: 00E0A5BD, 00E0A5C7

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 66988f535a7222aae3c3fb8ec50273b9011ab6b68e53937c7d6d31abe6810b69
Instruction ID: cad3b1d55d5fb2c18622724c32df53da6bfc472c94367a977986af674486e714
Opcode Fuzzy Hash: 66988f535a7222aae3c3fb8ec50273b9011ab6b68e53937c7d6d31abe6810b69
Instruction Fuzzy Hash: B001D37264120DBBCF025F91DC05DEE7FA2EB48754F098168FE14661A1CA368AB1EB91

Function 00E0A54A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00E09BAF), ref: 00E0A595

Strings

InitializeCriticalSectionEx, xrefs: 00E0A565

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: ab2190976c2fb767844823e93a779b2d0322b02a21d99bb6b9f6370bf911f549
Instruction ID: de1bdd9d183721816ee026e7ba40a2a25de8de33266b65531b6f881cc7908ee7
Opcode Fuzzy Hash: ab2190976c2fb767844823e93a779b2d0322b02a21d99bb6b9f6370bf911f549
Instruction Fuzzy Hash: 70F0B47164130CBFCB116F51DC05CEE7FA1FB48720B058124FD187B2A0DA324AA0EB91

Function 00E0A3EF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00E0A42E

Strings

FlsAlloc, xrefs: 00E0A40A

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 697b078dc3895716ea3075abe2d9a9e1da264b95b56e32632ee6951cc72e7d16
Instruction ID: 0146689e7e52bb0d99333cb696bde9ce43e26d240986f160f3b0f02c5a50a650
Opcode Fuzzy Hash: 697b078dc3895716ea3075abe2d9a9e1da264b95b56e32632ee6951cc72e7d16
Instruction Fuzzy Hash: 8DE05571B4230CAFC200AF618C06CEEBBA0DB44710B408068FD1573291CE710E9087D6

Function 00E030D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00E030EC

Strings

FlsAlloc, xrefs: 00E030DB, 00E030E5

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: aa15d418260b311f801eb119342e7908085315f7411df7d1638b4477a0642df5
Instruction ID: 864170fc2c17e0030d8a07ce05b52e4d224d8c94c80121c409b9c5b6c4378d1e
Opcode Fuzzy Hash: aa15d418260b311f801eb119342e7908085315f7411df7d1638b4477a0642df5
Instruction Fuzzy Hash: 94D02BF1B8172877C10036D01C07DE9BE48C742FB5F041061FF08713C2D5B2059042D9

Function 00E0B1D0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00E0AD9B: GetOEMCP.KERNEL32(00000000,?,?,00E0B024,?), ref: 00E0ADC6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00E0B069,?,00000000), ref: 00E0B244
GetCPInfo.KERNEL32(00000000,00E0B069,?,?,?,00E0B069,?,00000000), ref: 00E0B257

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 03a81c862ef7c214f6cf5dbc07dd9fbd94d6dc3120eefb88be5c518845154a4b
Instruction ID: 0f64281411c489148015e08833829b69417044154322fdb1876216119a37a15e
Opcode Fuzzy Hash: 03a81c862ef7c214f6cf5dbc07dd9fbd94d6dc3120eefb88be5c518845154a4b
Instruction Fuzzy Hash: 3B5136709003059EDB249F71C881ABFBBE5FF41304F24906ED496AB2E1D77895C6CB90

Function 00DF2BB2 Relevance: 3.1, APIs: 2, Instructions: 112COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00DF2D14
__CxxThrowException@8.LIBVCRUNTIME ref: 00DF2D2C

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 16e36e7d69a58708337d080df310bb2782a594b47fe39b47da9ba2a2fc164cf4
Instruction ID: d17a9e461d3903c66242c44097510d9d72696bc6868a9eb2f7df476f821e8aec
Opcode Fuzzy Hash: 16e36e7d69a58708337d080df310bb2782a594b47fe39b47da9ba2a2fc164cf4
Instruction Fuzzy Hash: 314136B0608749ABE72CEA34D8947BAF7D4BF50304F098929E75853182C774A894C7B6

Function 00DE13B6 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE13B6

Part of subcall function 00DE6027: __EH_prolog.LIBCMT ref: 00DE602C

Part of subcall function 00DEC767: __EH_prolog.LIBCMT ref: 00DEC76C
Part of subcall function 00DEC767: new.LIBCMT ref: 00DEC7AF
Part of subcall function 00DEC767: new.LIBCMT ref: 00DEC7D3

new.LIBCMT ref: 00DE142F

Part of subcall function 00DEAFBD: __EH_prolog.LIBCMT ref: 00DEAFC2

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0cdafa04bbb7a9a92e541557f1d9dbe2d3a290ebfc6da859543126cf8315659a
Instruction ID: 2abac73509c93c52b8a29519fe58ccfc16ddab8dec1689070d2342474090fabf
Opcode Fuzzy Hash: 0cdafa04bbb7a9a92e541557f1d9dbe2d3a290ebfc6da859543126cf8315659a
Instruction Fuzzy Hash: 044116B0905B44DEE724DF7A84859E6FBE5FF18300F50492EE6EE83282DB326554CB21

Function 00DE13B1 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE13B6

Part of subcall function 00DE6027: __EH_prolog.LIBCMT ref: 00DE602C

Part of subcall function 00DEC767: __EH_prolog.LIBCMT ref: 00DEC76C
Part of subcall function 00DEC767: new.LIBCMT ref: 00DEC7AF
Part of subcall function 00DEC767: new.LIBCMT ref: 00DEC7D3

new.LIBCMT ref: 00DE142F

Part of subcall function 00DEAFBD: __EH_prolog.LIBCMT ref: 00DEAFC2

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6329297ad58fb78e40306d5db45117f08d98f03641d11c6ead1b607d2af04046
Instruction ID: 6feac74b7615e1b8be33eb559c6b93a277e7a15c4e0a84d0ea9b27e757672350
Opcode Fuzzy Hash: 6329297ad58fb78e40306d5db45117f08d98f03641d11c6ead1b607d2af04046
Instruction Fuzzy Hash: 744116B0905B449EE724DF7A84859E6FAE5FF18300F40492ED2EE83282DB326554CB21

Function 00E0B007 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00E08E25: GetLastError.KERNEL32(?,00E1FF50,00E03C54,00E1FF50,?,?,00E036CF,?,?,00E1FF50), ref: 00E08E29
Part of subcall function 00E08E25: _free.LIBCMT ref: 00E08E5C
Part of subcall function 00E08E25: SetLastError.KERNEL32(00000000,?,00E1FF50), ref: 00E08E9D
Part of subcall function 00E08E25: _abort.LIBCMT ref: 00E08EA3

Part of subcall function 00E0B12E: _abort.LIBCMT ref: 00E0B160
Part of subcall function 00E0B12E: _free.LIBCMT ref: 00E0B194

Part of subcall function 00E0AD9B: GetOEMCP.KERNEL32(00000000,?,?,00E0B024,?), ref: 00E0ADC6

_free.LIBCMT ref: 00E0B07F
_free.LIBCMT ref: 00E0B0B5

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 65e6bbf3f3fe48931c22e4a84804893be8089ee907b7cbaa86fb8288a7f8075f
Instruction ID: 8a5523b6f0cb7658b2eb03fbc057270a5cef328b3cfec9d8405f2412186c6732
Opcode Fuzzy Hash: 65e6bbf3f3fe48931c22e4a84804893be8089ee907b7cbaa86fb8288a7f8075f
Instruction Fuzzy Hash: 0431B331904208EFDB10EFA8D941BAEB7E5FF40324F255199E454BB2D1DB729D81CB50

Function 00DE96BE Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00DE9E1C,?,?,00DE7840), ref: 00DE9746
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00DE9E1C,?,?,00DE7840), ref: 00DE977B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0783792cdcbf5600aadf36ca35542b6369d60185284c5a60287490723c59a3f9
Instruction ID: 08236796f67e71ad54a3203bfb7287bf63ce7fa027db724cd986dd07769b8ca6
Opcode Fuzzy Hash: 0783792cdcbf5600aadf36ca35542b6369d60185284c5a60287490723c59a3f9
Instruction Fuzzy Hash: EE210A71401784AED730AF55CC45BA7B7E8EB45364F044A2EF5E5821D1C374AD489A70

Function 00DE9CA2 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00DE7520,?,?,?,?), ref: 00DE9CBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00DE9D6C

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 621ac39bfbe6979b2cedac1e9838865bce2818f4bb748ab0f9134d092baa93fe
Instruction ID: a69ab904168a48b1cf1ea23fa1cf1e11a8f2aef0829d24a8e5603e56b1b6fcfd
Opcode Fuzzy Hash: 621ac39bfbe6979b2cedac1e9838865bce2818f4bb748ab0f9134d092baa93fe
Instruction Fuzzy Hash: 7721E4311492959BC714EE26C8A1ABAFBE8AB95304F18491CB8C087151D329EE4CD7B1

Function 00E0A2D8 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00E0A338
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E0A345

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 27fabc8bc3e71d42c5519599980f56574a4367a45c7d7ebfe2eb65efe93e1a7c
Instruction ID: bfc12fc45af476c7c941f88c866552019b3204aeb77f7427c170a5a9513c1fce
Opcode Fuzzy Hash: 27fabc8bc3e71d42c5519599980f56574a4367a45c7d7ebfe2eb65efe93e1a7c
Instruction Fuzzy Hash: DA112373A013298FCB219E29EC4089E7391AB8076471E8230ED15FB2C4D638EC81C7D2

Function 00DE9AF5 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001960,?,00000800,-00001960,00DE9AD1,?,?,00000000,?,?,00DE8D43,?), ref: 00DE9B5C
GetLastError.KERNEL32 ref: 00DE9B69

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 6ce08528b2bb223db82e11a5989e78ff0a52b66168391e144330186026ef1b5d
Instruction ID: d8207e5f71d2654b5b9da689360bde1855ce0887dc330a1ccc8d93dd17a5224d
Opcode Fuzzy Hash: 6ce08528b2bb223db82e11a5989e78ff0a52b66168391e144330186026ef1b5d
Instruction Fuzzy Hash: 2B0108313023409F8718EE67ACE487EF359EB84721B18432DF95787290DA70D8059630

Function 00DE9D80 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00DE9DB6
GetLastError.KERNEL32 ref: 00DE9DC2

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 02e1689eb8981c9d3aaebef876d04b900349328282dba3571ecfb7a483ba39de
Instruction ID: 70546017d99b4fe6c6b8e0137cff5a667cbd55490921b7d04303518a7098e372
Opcode Fuzzy Hash: 02e1689eb8981c9d3aaebef876d04b900349328282dba3571ecfb7a483ba39de
Instruction Fuzzy Hash: 470192707022506BDB34AE2ADC957AAF7D9DF84759F14863DB142C3680DA74DC0DC631

Function 00E08486 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E084A7

Part of subcall function 00E08398: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E03866,?,0000015D,?,?,?,?,00E04D42,000000FF,00000000,?,?), ref: 00E083CA

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00E1FF50,00DECD97,?,?,?,?,?,?), ref: 00E084E3

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 78daef70a2e719400ed0991db26cf34086b709b9dfc96ca9eab45fc75f8a42ef
Instruction ID: 386873d9cc166baf2caa1b37a0eded4888cbe89629225ae660d6c73ea0136178
Opcode Fuzzy Hash: 78daef70a2e719400ed0991db26cf34086b709b9dfc96ca9eab45fc75f8a42ef
Instruction Fuzzy Hash: A9F09C3120061769CB612B259E01FAF379C9FC1B74B15A126F9F8F61D1DF74D8C091A1

Function 00DF0866 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00DF0873
GetProcessAffinityMask.KERNEL32(00000000), ref: 00DF087A

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 8fc93a20e9a60cdf1444292e08d724be2c9c0d1819f2a5bcc216b85a6a78443a
Instruction ID: ef854c3f8e3bb090d073e3cbfc7c5fdd560d52546f535e0a21adfccf6465c8be
Opcode Fuzzy Hash: 8fc93a20e9a60cdf1444292e08d724be2c9c0d1819f2a5bcc216b85a6a78443a
Instruction Fuzzy Hash: 1FE09B72E1010DBB5F28AAA99C048FB7BDDEB48285719C179EA42D7502F634DD1147F0

Function 00DEDD3F Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000000,00000096,00DF0FE6,00000000), ref: 00DEDD6F
LoadStringW.USER32(00000000,00000096,00DF0FE6), ref: 00DEDD86

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 47f71808139ff13342e0c5efb0d4b9255e6fc09c6f4876eaf5486d3380e9988c
Instruction ID: 56543ef3cb12ac25623963b043e21afd6982e155df928d594ca16c1b9c5461d4
Opcode Fuzzy Hash: 47f71808139ff13342e0c5efb0d4b9255e6fc09c6f4876eaf5486d3380e9988c
Instruction Fuzzy Hash: B9F01239111294BFCF126F66DC04DEB7F6AFF1A3A07044025FE04A6131C6328860DBE0

Function 00DEA384 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00DEA1BA,?,?,?,00DEA053,?,00000001,00000000,?,?), ref: 00DEA398
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00DEA1BA,?,?,?,00DEA053,?,00000001,00000000,?,?), ref: 00DEA3C9

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 95d84c8495a7357a4184f0272912da8970fd5ea99a615caad18f609bd038a3d6
Instruction ID: cb89d5ece609ef6a3ff877ea60200019f0204175d06afd77e915d5e6aac50cab
Opcode Fuzzy Hash: 95d84c8495a7357a4184f0272912da8970fd5ea99a615caad18f609bd038a3d6
Instruction Fuzzy Hash: 20F0A03114024DABDF016F66DC00BEA376CEB08381F088055BD8896160DB729AA9EB61

Function 00DFD3C9 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DFD3F7
SetDlgItemTextW.USER32(00000065,?), ref: 00DFD40E

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 3f9c736b08c802b8ce91aadc4fcd6dbbce24c2cc1520243f19255a3af6cfc22a
Instruction ID: 5bc3b240308e1297f248679c846819ba73168a32c83a7a10c01b1ea4938e4a0b
Opcode Fuzzy Hash: 3f9c736b08c802b8ce91aadc4fcd6dbbce24c2cc1520243f19255a3af6cfc22a
Instruction Fuzzy Hash: 70F0EC7150434C2EEB11BBA29C0AFB93B5EDB04742F054095B744631E2D5715A559773

Function 00DEA06D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00DE97EC,?,?,00DE961D), ref: 00DEA07E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00DE97EC,?,?,00DE961D), ref: 00DEA0AC

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4d17a8d38edab04ad0b17c597ccaac156a4474c715af55418dd2b5843d77c6bf
Instruction ID: 453ebf3c042f07d3fab5da9b496a3d3bb97057c35ea0c1e6789534431f31a2e6
Opcode Fuzzy Hash: 4d17a8d38edab04ad0b17c597ccaac156a4474c715af55418dd2b5843d77c6bf
Instruction Fuzzy Hash: 6EE092315412496BDB12AF66DC41FE9775CEB08391F488066BD88E2064DB31ADA8EA71

Function 00DFA31B Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00E11E4C,000000FF), ref: 00DFA34F
OleUninitialize.OLE32(?,?,?,?,00E11E4C,000000FF), ref: 00DFA354

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 5e8b2291422c84706e1b3b481763c9953b322e8e05a8993234172da14c2b255b
Instruction ID: 1d420f7e172aa43686fc9d0e09f8cc560f4edd04070aafa95266e0cee6172ab0
Opcode Fuzzy Hash: 5e8b2291422c84706e1b3b481763c9953b322e8e05a8993234172da14c2b255b
Instruction Fuzzy Hash: E8F03036514654DFC711AF59DC05B5AFBA9FB49B20F00436AF92993760CB746811CA90

Function 00DEA0D4 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00DEA0C9,?,00DE768B,?,?,?,?), ref: 00DEA0E5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00DEA0C9,?,00DE768B,?,?,?,?), ref: 00DEA111

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1e80a4ca999bb3180084a09885874d1fb208403c45a205c159f7ed99b4b0b90f
Instruction ID: f94d8be0b5f8d2d9fe884915d96ea2bbf4e01bcee980c181eaf2ebad5050227f
Opcode Fuzzy Hash: 1e80a4ca999bb3180084a09885874d1fb208403c45a205c159f7ed99b4b0b90f
Instruction Fuzzy Hash: B0E06D315002685BCB10AA69DC05BE9B758EB083A1F0482A2FE54E3291D770AD588BF1

Function 00DEFFE3 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DEFFFE
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DEEAC6,Crypt32.dll,00000000,00DEEB4A,?,?,00DEEB2C,?,?,?), ref: 00DF0020

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: f2d889cc5230662fae09af5526f9de7ae6a44b8fa388885a16100e13625d1548
Instruction ID: 9a3a77284f7cea5086a715f8598ba3a8dd1683774976340a5286b84a4e1b73ba
Opcode Fuzzy Hash: f2d889cc5230662fae09af5526f9de7ae6a44b8fa388885a16100e13625d1548
Instruction Fuzzy Hash: 0AE0127690015C6ADB21AA95DC04FE7776CEF0C392F4440A6BA48D2144DA749994CBB0

Function 00DF9A7F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00DF9AA0
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00DF9AA7

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: e163f7e76d1985c49a0b2d90355d0f854e58694467c034c9a0f9c97496fe5dec
Instruction ID: 2ba42a43fb28fcfd8f524c7546972f9b104808f01a3da9d961074f6e7dc784c1
Opcode Fuzzy Hash: e163f7e76d1985c49a0b2d90355d0f854e58694467c034c9a0f9c97496fe5dec
Instruction Fuzzy Hash: 25E0ED7190121CEBDB10DF98C901BA9B7F8EB04311F21C15BE98597310D6B1AF449BB1

Function 00E01FAC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00E030D7: try_get_function.LIBVCRUNTIME ref: 00E030EC

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E01FCA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00E01FD5

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 925bd731b4717123fd64b01c70639ede1ff1bb20cb8ae734f73217e10c2edc95
Instruction ID: 6bac4032db39bcde6ae7832d74cf903c9b84e37502461ce36a4f14d71e1230b2
Opcode Fuzzy Hash: 925bd731b4717123fd64b01c70639ede1ff1bb20cb8ae734f73217e10c2edc95
Instruction Fuzzy Hash: CCD0A93431830258DA102A7228028AA22CA5E42BB93603BCAF420BD8C2EB2084C2B111

Function 00DFDABD Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 00DFDAC9
DloadProtectSection.DELAYIMP ref: 00DFDAE5

Part of subcall function 00DFDCBD: DloadObtainSection.DELAYIMP ref: 00DFDCCD

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 49a8dcc08060300093b5289fc9781b753084d9c07417e3584a6bf3d08c506389
Instruction ID: 673b43fe32313aa976672f8dcc0ca14ebf83545e08ac3b90e999841ce581be13
Opcode Fuzzy Hash: 49a8dcc08060300093b5289fc9781b753084d9c07417e3584a6bf3d08c506389
Instruction Fuzzy Hash: F4D0A77044020C4FC115EB1699C97397593F314700F569110F702F70E5D7A04484C53C

Function 00DE12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00DE12FB
ShowWindow.USER32(00000000), ref: 00DE1302

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: dd1772388c5f4f0fb7b730cc93204f851423a5c4015927e5e694f0458d931f70
Instruction ID: c31a2856a8a1460801ed720804cef2fad14b95bf9c96f7d5180a8b6e97f1f013
Opcode Fuzzy Hash: dd1772388c5f4f0fb7b730cc93204f851423a5c4015927e5e694f0458d931f70
Instruction Fuzzy Hash: B9C0123A098200BFCF010BB1DC09D2BBBA8ABE6252F04C948B2A5D0161C23AC094DB11

Function 00DE19D6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE19DB

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d14b132e2e04aad002e9c69a74f9066f8f9c14677bfc7c3f5a1b6d1dc4ce7174
Instruction ID: 4fdae578aa47cd7271283dc73176353cb318975fab90b839678167016a2bd6d4
Opcode Fuzzy Hash: d14b132e2e04aad002e9c69a74f9066f8f9c14677bfc7c3f5a1b6d1dc4ce7174
Instruction Fuzzy Hash: E0C19078B042949FDF15EF6AC884BA97BA5EF06310F0840B9EC46DF286DB359944CB71

Function 00DE3B26 Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE3B2B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2a31f3a1fc232c1c8997c5ea4c1bea3dba2fb8cfc6b63cd0a29cd90bb7e019ae
Instruction ID: bf060969554b5ba15f8bc4b540afd319ed9abc190e7ad9c260839a7b44354a60
Opcode Fuzzy Hash: 2a31f3a1fc232c1c8997c5ea4c1bea3dba2fb8cfc6b63cd0a29cd90bb7e019ae
Instruction Fuzzy Hash: B971AF71504F84AADB21EB35CC55AFBB7E8EF14301F44896EE5AB87142D631AA49CF30

Function 00DE8329 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE832E

Part of subcall function 00DE13B1: __EH_prolog.LIBCMT ref: 00DE13B6
Part of subcall function 00DE13B1: new.LIBCMT ref: 00DE142F

Part of subcall function 00DE19D6: __EH_prolog.LIBCMT ref: 00DE19DB

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6aa8bb7cbadc54bbbe5a00ad95178e8f291de8d4a64bd08424c8bfe7e052807f
Instruction ID: 19970a23daa74fa593e8e60f440b7742d00dc1fed3bbdce7265689d082cde60e
Opcode Fuzzy Hash: 6aa8bb7cbadc54bbbe5a00ad95178e8f291de8d4a64bd08424c8bfe7e052807f
Instruction Fuzzy Hash: 5A4181719406999ADB24FBA2CC55BEAB379EF50300F0440EAE58D97093DE745EC8EB70

Function 00DF2DDD Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DF2DE2

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 77b695a1fe76c5267ac29bd2092e1c187b28e5b5f6813408b0baf570282d8a26
Instruction ID: 16b510034b8fb90e960613acd5fc47534e6ca971ef3bfe8a0954e06fb1d1e8f0
Opcode Fuzzy Hash: 77b695a1fe76c5267ac29bd2092e1c187b28e5b5f6813408b0baf570282d8a26
Instruction Fuzzy Hash: B921D5B1E4021AAFDB14DF74CC4167A76A8EF04314F15813AF609AB681D7709950C6F8

Function 00DE1E30 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE1E35

Part of subcall function 00DE3B26: __EH_prolog.LIBCMT ref: 00DE3B2B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 546cf56e407aa9103c94d7f0fc8e8d9c65ee6e7e48010897b69d60c10af20714
Instruction ID: 6e891b96e2b6f42b9069923cac4efdbd327d46966c7ecc58f035f145203d0ceb
Opcode Fuzzy Hash: 546cf56e407aa9103c94d7f0fc8e8d9c65ee6e7e48010897b69d60c10af20714
Instruction Fuzzy Hash: 8921397AA041499FCB15EF9AC9819EEBBF6FF48700B1040AAF845A3251DB325E50CB70

Function 00DFA712 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DFA717

Part of subcall function 00DE13B1: __EH_prolog.LIBCMT ref: 00DE13B6
Part of subcall function 00DE13B1: new.LIBCMT ref: 00DE142F

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2cd0bf1d8ad116c9f4ab4db04020f038b93b83f113c3adf2672326624df86bfc
Instruction ID: e33f089dfdf248612f69340f8c5f9222576ffc169171ccd0a02a4bdd9e68cf5e
Opcode Fuzzy Hash: 2cd0bf1d8ad116c9f4ab4db04020f038b93b83f113c3adf2672326624df86bfc
Instruction Fuzzy Hash: E72169B5D0428DAACF11EF99C9519EEB7B4EF18304F0444EEE809A7202D7356E05DB71

Function 00DE9283 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE9288

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d23731032d61272dc182b25e6a23b52325f81f89b23cedb37a5e20f41c1aabcd
Instruction ID: 6da7815a46395d0d000b565a6cc0b1fe6c58f9dd6256560205c613dee49a1032
Opcode Fuzzy Hash: d23731032d61272dc182b25e6a23b52325f81f89b23cedb37a5e20f41c1aabcd
Instruction Fuzzy Hash: F4118273A11969ABCF22BBA9CC919EDB731FF88740F054515FD0567211CA318C0186B4

Function 00E08398 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00E03866,?,0000015D,?,?,?,?,00E04D42,000000FF,00000000,?,?), ref: 00E083CA

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6d2288b67f32615d5c7cf86d134589fb1cc65c13afc2e2b34dd2f8d5d82e4716
Instruction ID: 9a87c33c9810e828910107b04dd6b2bd5ae97008cee001c60387abcdc763f142
Opcode Fuzzy Hash: 6d2288b67f32615d5c7cf86d134589fb1cc65c13afc2e2b34dd2f8d5d82e4716
Instruction Fuzzy Hash: 2DE0E5312003219ADA302A666E0279F7688AFE1BA0F156121ECD4B64D1EF68CC8082E1

Function 00DE5BA7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE5BAC

Part of subcall function 00DEAFBD: __EH_prolog.LIBCMT ref: 00DEAFC2

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ee14e4490fbf987cc0c8d6c13c6cc6f295f1d4e784689cdcfad30f4b410aeb4
Instruction ID: 065ceeb96b138d1841f30a4c92c78bd67e4cece6c94f0b1d35a0423a6259df1e
Opcode Fuzzy Hash: 7ee14e4490fbf987cc0c8d6c13c6cc6f295f1d4e784689cdcfad30f4b410aeb4
Instruction Fuzzy Hash: 24018C30A05694DAD715F7A8C9067EDBBE4DF1A305F50459EB54A53282CBB82B04C773

Function 00DE9670 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00DE9624), ref: 00DE968B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b820f5c4066ef4a77b4eed49a9d7849c4209d23b7df77887199df454fcc51e09
Instruction ID: f91b8cb62d767eef2fe719663496a6293e09c77edaca604f4da0ccb72e1860ce
Opcode Fuzzy Hash: b820f5c4066ef4a77b4eed49a9d7849c4209d23b7df77887199df454fcc51e09
Instruction Fuzzy Hash: 30F0B4700437505EDB30AB218918792B3E49B12325F088B1EC0FA438E0D360A84DCB60

Function 00DEA406 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00DEA435

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: eefe01b0d58e9b23914ae30e3506100784f847c7c121a098c2e4e58b2411038f
Instruction ID: 65bb4d54a3b3500545d4705cb2229b4d96681f982c478568e71b909f82237edf
Opcode Fuzzy Hash: eefe01b0d58e9b23914ae30e3506100784f847c7c121a098c2e4e58b2411038f
Instruction Fuzzy Hash: E5F054350097C1AACA227BB948047D6BBA5AF19371F04CA49F1FD121D6C2B574999733

Function 00DF05DA Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00DF060F

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 82e00035f64d3c309bac5faf3779ff6343fe5fd4ee10147d1f9d94a8ecc0effe
Instruction ID: 2560435d6334590f6caa7ada579e53ad3e2c015aeed3f50c9e3e9e120b3d994d
Opcode Fuzzy Hash: 82e00035f64d3c309bac5faf3779ff6343fe5fd4ee10147d1f9d94a8ecc0effe
Instruction Fuzzy Hash: B4D0C224B0009566CA113BAA680A7FE1E068FCB311F0E8035B30DAB2D3CE84098A82B5

Function 00DF9D2F Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00DF9D35

Part of subcall function 00DF9A7F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00DF9AA0

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: e13b48070a70aae3dd87dac9b967e8d4079dc715caa04fc070f3b589795e5392
Instruction ID: ad97ed980d31a86347a66394f5cb00bceedf6720cd62229c19a4266a720829c2
Opcode Fuzzy Hash: e13b48070a70aae3dd87dac9b967e8d4079dc715caa04fc070f3b589795e5392
Instruction Fuzzy Hash: 35D05E30A0010C6ADB40AA61CC22B79B798DB00310F11C175BE0885160EDB2DD10A671

Function 00DE9929 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00DE9827), ref: 00DE9935

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: bda047b9359255c16165d0c81dd095ca63fa7316f523ea9c1c72dedda1654fc1
Instruction ID: 4d3a8ff0b6f82683f940371b976d4403fa32d37c4cc3ebc442d093c825271c3a
Opcode Fuzzy Hash: bda047b9359255c16165d0c81dd095ca63fa7316f523ea9c1c72dedda1654fc1
Instruction Fuzzy Hash: 0CD01231012180998F226A374D990D9A6529B43376B3CD7ACD025C40A2C726C803FD51

Function 00DFD270 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00DFD295

Part of subcall function 00DFABC4: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFABD5
Part of subcall function 00DFABC4: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFABE6
Part of subcall function 00DFABC4: IsDialogMessageW.USER32(0001043C,?), ref: 00DFABFA
Part of subcall function 00DFABC4: TranslateMessage.USER32(?), ref: 00DFAC08
Part of subcall function 00DFABC4: DispatchMessageW.USER32(?), ref: 00DFAC12

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 3cdd8ae0c673e46128c6d461a29c40a7d395e3cf44f83212642719f01aa6696b
Instruction ID: 16111c674eca57c4a269e587be7a05c0924908529ac72fbe34d2dd5ccd936ee7
Opcode Fuzzy Hash: 3cdd8ae0c673e46128c6d461a29c40a7d395e3cf44f83212642719f01aa6696b
Instruction Fuzzy Hash: 31D09E71144200AEDA113B52CE07F1A7AA7EB88B04F404554B349740F186629E619B26

Function 00DFE04F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE061

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 16660a4bf95fead2942f7b99f5997748e23dd90fe3da47782807630a0af8a23d
Instruction ID: 3bf74f2d88bc5482d0d096a9ae32e75be73e4dce1e39d8288bf68b17b08932f0
Opcode Fuzzy Hash: 16660a4bf95fead2942f7b99f5997748e23dd90fe3da47782807630a0af8a23d
Instruction Fuzzy Hash: 93B012A525B3097C330421906D03D76030DC1C0B50336E16EF300E809299814CC10072

Function 00DFD957 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD908

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bd23357be3322b2e9c97c6753b592dfa5b5d7f3cc6b7b5fbaf47f214b62cf31c
Instruction ID: 104b64ea901b45a5ac459ee7a88accfce663f5a08ec1650d104a2710c81258df
Opcode Fuzzy Hash: bd23357be3322b2e9c97c6753b592dfa5b5d7f3cc6b7b5fbaf47f214b62cf31c
Instruction Fuzzy Hash: 1DB012D529970D6C324471647C0BE36110FC0C0B51379E16EF104D50CAD4804CC02132

Function 00DFD92F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD908

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a7a42db7a6dd1a21e2debf07d3bef1842f1bed2387712b36a170e55dae1c17a4
Instruction ID: 3ad2aaee7271879c014509924551cb1742ef1245613a4c5dbe74b2508b948279
Opcode Fuzzy Hash: a7a42db7a6dd1a21e2debf07d3bef1842f1bed2387712b36a170e55dae1c17a4
Instruction Fuzzy Hash: 6FB012D52596096C3244B1647C0BF3A110FC0C0B11379E56EF204D50CAD4804CC41032

Function 00DFD925 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD908

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9f0c55b34505d55fdc88058122e0d59ca5aef3e488fbc04c40e598c3b78abae0
Instruction ID: 9f3c04268dede4ea5a256b4b50d674c059d97f22c4dd3f09ed10a1bf7054cbc1
Opcode Fuzzy Hash: 9f0c55b34505d55fdc88058122e0d59ca5aef3e488fbc04c40e598c3b78abae0
Instruction Fuzzy Hash: E7B012E9259609AC334471657D0BD36110FC0C0B11379E26EF504D50C6D4844CC01032

Function 00DFDAB3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA8C

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 493b82f29bf57ecbce01390138e44d8429e135efa5d1ac65426d6a47e79dd296
Instruction ID: ca3416b774290334797cdf9da310f0b29532f2bbd9f64da004c1a941bae7f7b6
Opcode Fuzzy Hash: 493b82f29bf57ecbce01390138e44d8429e135efa5d1ac65426d6a47e79dd296
Instruction Fuzzy Hash: B3B0129136E3056D314462546C07D36211FC0D0B10335E26FF600D5242D4904CC00036

Function 00DFDAA9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA8C

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e6312f3f683b9a919c796482ae855cf6533213d9f391496af9fe7bd104bdcef3
Instruction ID: 6076f3233633bbbd58dad2def25323077ed3490d42bd11cc80bf8342ecca1296
Opcode Fuzzy Hash: e6312f3f683b9a919c796482ae855cf6533213d9f391496af9fe7bd104bdcef3
Instruction Fuzzy Hash: CFB0129535E3066D314462146C07E36211FC0D4B10335E26EFA00D5242D4904CC00036

Function 00DFDA7A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA8C

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 926f325a9bfd6208b199c4ef45afecd8a4356c1ad55686886ada43197db78839
Instruction ID: cfcb49f2441d8ef9eaac60c1b23becf3331978da0dd828284cd21a6cb378798d
Opcode Fuzzy Hash: 926f325a9bfd6208b199c4ef45afecd8a4356c1ad55686886ada43197db78839
Instruction Fuzzy Hash: EFB0129139E3057D324462106C07C36211FC0D0B10335E36EF600E414295904CC00036

Function 00DFDA19 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA2B

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e5a8f9c1f6f24a0a331ffb8394e602291233f96fbd87fd078545349ff0fa6659
Instruction ID: 48cbf82d37e9aa9cf2a05f9b98166ad4a7fefe793e64e73791fd4c682ef44e5c
Opcode Fuzzy Hash: e5a8f9c1f6f24a0a331ffb8394e602291233f96fbd87fd078545349ff0fa6659
Instruction Fuzzy Hash: 68B012926ED7057C330472117C03C76221FC0D0B11335E2AFF500E404294804CC40032

Function 00DFDA3E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA2B

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2944c41a7ee8f16058af752bdb8c3e6f3a9235c21e7d1a54bbdce9d5ca548202
Instruction ID: 4eb5fbd10b881b5b67e65f7774af6a537497d3de4e2682fa46ae2539910beb48
Opcode Fuzzy Hash: 2944c41a7ee8f16058af752bdb8c3e6f3a9235c21e7d1a54bbdce9d5ca548202
Instruction Fuzzy Hash: 1AB012956AD605AC314472152D03D76226FC0D0B11335E1AFF900D6046D4804CC80032

Function 00DFDA34 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA2B

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f67081814605852e057f2e883a01597b03dcc727bba4b93d5e21680f2212fdc2
Instruction ID: d7af3b20964acb6c5df10f586b9427edc27d3584ff10d182ae2bfecb1c3560a1
Opcode Fuzzy Hash: f67081814605852e057f2e883a01597b03dcc727bba4b93d5e21680f2212fdc2
Instruction Fuzzy Hash: B6B012912BD6056C314472252C03E36225FC0D0B11335E1BFF500D5046D4404CC40032

Function 00DFD6E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3f85ef2849c7d8fff83860862f4dbc4e53dbfb2ff67d076968bc7758f5001826
Instruction ID: 436693f39092000360a8e60b742fe8934eb90b52ad11b87bbe175ab1bdffffea
Opcode Fuzzy Hash: 3f85ef2849c7d8fff83860862f4dbc4e53dbfb2ff67d076968bc7758f5001826
Instruction Fuzzy Hash: 37B012D629A70A7D3A8422107C43C37220FC4C0B91335E26AB200E4043E8844CC00033

Function 00DFD7CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ef14139068a1cc50fb6c229aedf8757122c9f99c5462d233250c1a413f768085
Instruction ID: 744e2d7d97066bea33c360c5eed3da0d74bc559e164e6cc2bfb61f88edb39532
Opcode Fuzzy Hash: ef14139068a1cc50fb6c229aedf8757122c9f99c5462d233250c1a413f768085
Instruction Fuzzy Hash: 9AB012D225A6196C318462147C03D36220FC4C4B51335E56AB204D5182E4445C800033

Function 00DFD798 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f4127daa1ace1bef20b9a97138ec46cfafeb280602abd788d7ffbd4fa102fb7f
Instruction ID: 720d30092be24290b3a69e3b96e84ad0414e4978a8d9fc286c333ee9cc54edfa
Opcode Fuzzy Hash: f4127daa1ace1bef20b9a97138ec46cfafeb280602abd788d7ffbd4fa102fb7f
Instruction Fuzzy Hash: D3B012E225A6096C31846214BD03D76228FC4C0B11335E16AB204E5542E4444C810033

Function 00DFD784 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 843114d99c4aa2b2d916effa1864bb6ec089b26d1c7d1de2f8daaf93881fd812
Instruction ID: 7ee38c876c8730e53d91d54aead192f0bf4793241fe58b47dc022b758042c0b6
Opcode Fuzzy Hash: 843114d99c4aa2b2d916effa1864bb6ec089b26d1c7d1de2f8daaf93881fd812
Instruction Fuzzy Hash: 21B012DA25A6496C318462247C03E36224FC4C0B11335E16AB704E5142E5444C800033

Function 00DFD75C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b4337d616f5eebd075ea3c20c54127e8fa956052a588e0cdd33e1a90eccf60d5
Instruction ID: 0bbf392472605122a2ddac124f6e7ae24ceced7451ed7d8189ffcb093c832c20
Opcode Fuzzy Hash: b4337d616f5eebd075ea3c20c54127e8fa956052a588e0cdd33e1a90eccf60d5
Instruction Fuzzy Hash: E4B012D625B64D6C318462147C03E36320FC4C0B11335E16BB604D5142E4444C900033

Function 00DFD752 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7ba8d5d64bcd68d3034e45d6b2f80fddfc56d03338a983b1e1bc8d05827a5968
Instruction ID: 2994406600c07d58250109b985c30e959693d3cdd17d7a2a94271207435fa13d
Opcode Fuzzy Hash: 7ba8d5d64bcd68d3034e45d6b2f80fddfc56d03338a983b1e1bc8d05827a5968
Instruction Fuzzy Hash: E4B012E225A6096C318462167C03D76220FC4C0F51335E16AB204D5143E4444C800033

Function 00DFD748 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 327d6d30649b463d886f1d0ebc613bd4218a1f743d033d69bee6f900cf97acdb
Instruction ID: 6456db987cee83afa71ecf2ea10ce97ba8c6fdfc93cc08582631d6fb50560910
Opcode Fuzzy Hash: 327d6d30649b463d886f1d0ebc613bd4218a1f743d033d69bee6f900cf97acdb
Instruction Fuzzy Hash: 98B012E225A6096C31846215BD03D76220FC4C0F15335E16AB204D5542E4444D810033

Function 00DFD77A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 30841d38939c43a6675a947e1b70e3ea4bf3dd93cccc6b871fc69f64d1496ad7
Instruction ID: d348dc2b53f76c28ab7c261db31a319fd551ba99ece8400729d15d614a34b912
Opcode Fuzzy Hash: 30841d38939c43a6675a947e1b70e3ea4bf3dd93cccc6b871fc69f64d1496ad7
Instruction Fuzzy Hash: F0B012D226B60D6C318462147C03D36324FC8C0B51335E16AB204D5142E4444C800033

Function 00DFD766 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 789709f5be223d5b00522e99aeb8fcc843f0b5cbbaf04b35a63404132b996e9c
Instruction ID: 2a38725a7dda7da71cd16213e0bffdf714df7392399190d5a5aec74231060a7c
Opcode Fuzzy Hash: 789709f5be223d5b00522e99aeb8fcc843f0b5cbbaf04b35a63404132b996e9c
Instruction Fuzzy Hash: C0B012E229B70D6C32C463147C03D36320FC4C0B11335E36AB204D5142E4444CC00033

Function 00DFD716 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4c181516b1062807b43c4c9ad3b0e02c108fae27aa429b3c6dac638a3d133c84
Instruction ID: bfd69c9161f69a3bd9f6a683b4a34a53be9c8ed1389c439d541f8e737f31e9d6
Opcode Fuzzy Hash: 4c181516b1062807b43c4c9ad3b0e02c108fae27aa429b3c6dac638a3d133c84
Instruction Fuzzy Hash: 98B012D229A7496C32C462157C03E36220FC4C0B11335E66AF204D5242E4444CC40033

Function 00DFD70C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4c6b86f037a5915a5bd779000eb1b1105bc4a8cafaad7a206c4935a425028d80
Instruction ID: a97939ebf0ff601f176f6f18847df6f1280a1a59fc5d8975adc704ba24cc4a6c
Opcode Fuzzy Hash: 4c6b86f037a5915a5bd779000eb1b1105bc4a8cafaad7a206c4935a425028d80
Instruction Fuzzy Hash: 4CB012D625A6496C318466147C03F36224FC4C0B11335E16AF604D5242E4444C840033

Function 00DFD702 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 85ca1a16e88674026b0be389251eaaf09afbe7ed487f735c2231cc753c1cb319
Instruction ID: f9378605c0ca55c09e94f880c02282dc341ed216639e99ba16694eacacc32991
Opcode Fuzzy Hash: 85ca1a16e88674026b0be389251eaaf09afbe7ed487f735c2231cc753c1cb319
Instruction Fuzzy Hash: 3FB012D625A70D6D318462147C03D37220FC4C0B91335E16AB204D5143E4444C800133

Function 00DFD73E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d9cebeab5420dd144568ac36483f292e33989cf64addba85bfba6ec94819f99d
Instruction ID: 27560527c9ce487455a8249ac6f4c5b2dbebf454665171bba0062d0ec6e421e4
Opcode Fuzzy Hash: d9cebeab5420dd144568ac36483f292e33989cf64addba85bfba6ec94819f99d
Instruction Fuzzy Hash: 35B012E229A7096C32C462557C03D36220FC4C0F11335E26AB204D5142E4444CC00033

Function 00DFD734 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cc042320bacf03ecaca477d8a10e90e5c5ed0de82742dd4a23e18135a682a7b0
Instruction ID: eac03bda211ea6b9fe44eff76d913762b6b7afe5f2a72ef8f7a0bc9418d66833
Opcode Fuzzy Hash: cc042320bacf03ecaca477d8a10e90e5c5ed0de82742dd4a23e18135a682a7b0
Instruction Fuzzy Hash: 34B012E625A6496C328462157C03E36220FC4C0F11335E26AB604D5142E4444C800033

Function 00DFD720 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 388b64d3f25d4056a5a619c0bf3f3442d0975b4400debec2c96689130114b132
Instruction ID: 4950b937efbfe8499b8aa33d2e78fed4f92fa681315b74163430a83a6ae61ff6
Opcode Fuzzy Hash: 388b64d3f25d4056a5a619c0bf3f3442d0975b4400debec2c96689130114b132
Instruction Fuzzy Hash: 19B012D225A6196C31846214BD03E76220FC4C0B11335E16AF204D5642F4544C890033

Function 00DFD8FB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD908

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d41867ca555385c9a451cb1ee572a60f1ddc8c8f152233d8c5d23ed108008b98
Instruction ID: 12a5c1e264bd9be6d6fc2b78133e014b1668fc09241feeef8a4322c18049185b
Opcode Fuzzy Hash: d41867ca555385c9a451cb1ee572a60f1ddc8c8f152233d8c5d23ed108008b98
Instruction Fuzzy Hash: 04A012E51556093C310431607C0AD36110FC0C0B11379D11DF100940C6548018401031

Function 00DFD952 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD908

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f0f269dbc69a378f55972104d311e8dcacc67961ca016c395ab23c282bce67ea
Instruction ID: 589f4bb8bd9b37cf9ee9180e3271f3a7e8f3bb49e4fb8724325f538c9d5ec2c5
Opcode Fuzzy Hash: f0f269dbc69a378f55972104d311e8dcacc67961ca016c395ab23c282bce67ea
Instruction Fuzzy Hash: 8EA012D515960A7C310431607C0AC36110FC0C0B11379D51DF101840C6548008401031

Function 00DFD948 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD908

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b3d5a61a55f180d091e7f17427bcbc6f0f5b81efb708e0b4b6f3279f5a987b5b
Instruction ID: 589f4bb8bd9b37cf9ee9180e3271f3a7e8f3bb49e4fb8724325f538c9d5ec2c5
Opcode Fuzzy Hash: b3d5a61a55f180d091e7f17427bcbc6f0f5b81efb708e0b4b6f3279f5a987b5b
Instruction Fuzzy Hash: 8EA012D515960A7C310431607C0AC36110FC0C0B11379D51DF101840C6548008401031

Function 00DFD916 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD908

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ef6a76e63dc8b1a398852f063a986db438f45f76fba3e756a4d487b5e7eefdb4
Instruction ID: 589f4bb8bd9b37cf9ee9180e3271f3a7e8f3bb49e4fb8724325f538c9d5ec2c5
Opcode Fuzzy Hash: ef6a76e63dc8b1a398852f063a986db438f45f76fba3e756a4d487b5e7eefdb4
Instruction Fuzzy Hash: 8EA012D515960A7C310431607C0AC36110FC0C0B11379D51DF101840C6548008401031

Function 00DFD93E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD908

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bf237a97c7253648075e1ef34629ad572d5cef5256494c75cbec4f80442a4b47
Instruction ID: 589f4bb8bd9b37cf9ee9180e3271f3a7e8f3bb49e4fb8724325f538c9d5ec2c5
Opcode Fuzzy Hash: bf237a97c7253648075e1ef34629ad572d5cef5256494c75cbec4f80442a4b47
Instruction Fuzzy Hash: 8EA012D515960A7C310431607C0AC36110FC0C0B11379D51DF101840C6548008401031

Function 00DFD920 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD908

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: de13d1a54d4be1858d811fdecb458b9a3ec7de2f72d2c3895cab8d78d1419377
Instruction ID: 589f4bb8bd9b37cf9ee9180e3271f3a7e8f3bb49e4fb8724325f538c9d5ec2c5
Opcode Fuzzy Hash: de13d1a54d4be1858d811fdecb458b9a3ec7de2f72d2c3895cab8d78d1419377
Instruction Fuzzy Hash: 8EA012D515960A7C310431607C0AC36110FC0C0B11379D51DF101840C6548008401031

Function 00DFDA9A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA8C

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c522c18e5328708d43bba3f6f59c0e9f0e5d1f1bd560566c5d67b6e2f6caa724
Instruction ID: dac4970a787d2bb7017d5a802b4049f06b0c79aff5c810343565c18573ca70bd
Opcode Fuzzy Hash: c522c18e5328708d43bba3f6f59c0e9f0e5d1f1bd560566c5d67b6e2f6caa724
Instruction Fuzzy Hash: 66A0029525D2167D314461515D07D76211FC4D4B51335D55DF541D504255945C851035

Function 00DFDAA4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA8C

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e5879a3c6bf79c04012e78826f29b514102b9e7324f7392e484a24cffa2897e9
Instruction ID: dac4970a787d2bb7017d5a802b4049f06b0c79aff5c810343565c18573ca70bd
Opcode Fuzzy Hash: e5879a3c6bf79c04012e78826f29b514102b9e7324f7392e484a24cffa2897e9
Instruction Fuzzy Hash: 66A0029525D2167D314461515D07D76211FC4D4B51335D55DF541D504255945C851035

Function 00DFDA57 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA2B

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fec9c166e4652e82d9cc350ae29f922846173444f05921f42a87de213152b156
Instruction ID: abe8a6c9d9cb8d10d2f967ac5707a71c82b3c63ad490a9d64e7190f2c14b7502
Opcode Fuzzy Hash: fec9c166e4652e82d9cc350ae29f922846173444f05921f42a87de213152b156
Instruction Fuzzy Hash: A9A012911AD6067C300432111C02C36221FC0D0B11335D55EF5018404254400C800031

Function 00DFDA4D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA2B

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 33d7f9be0742f8f75a390a369892ba10c53abf2f47ed404123b61f6edb13d90c
Instruction ID: abe8a6c9d9cb8d10d2f967ac5707a71c82b3c63ad490a9d64e7190f2c14b7502
Opcode Fuzzy Hash: 33d7f9be0742f8f75a390a369892ba10c53abf2f47ed404123b61f6edb13d90c
Instruction Fuzzy Hash: A9A012911AD6067C300432111C02C36221FC0D0B11335D55EF5018404254400C800031

Function 00DFDA75 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA2B

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9a570b40e650fdc565fa9cd130a626b411dbf5d66844f346639acf012a678b67
Instruction ID: abe8a6c9d9cb8d10d2f967ac5707a71c82b3c63ad490a9d64e7190f2c14b7502
Opcode Fuzzy Hash: 9a570b40e650fdc565fa9cd130a626b411dbf5d66844f346639acf012a678b67
Instruction Fuzzy Hash: A9A012911AD6067C300432111C02C36221FC0D0B11335D55EF5018404254400C800031

Function 00DFDA6B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA2B

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 56310585b9ed4cc8ab2f60e30bb3e3ffb5a26ddda1a4273ee165ad917540de55
Instruction ID: abe8a6c9d9cb8d10d2f967ac5707a71c82b3c63ad490a9d64e7190f2c14b7502
Opcode Fuzzy Hash: 56310585b9ed4cc8ab2f60e30bb3e3ffb5a26ddda1a4273ee165ad917540de55
Instruction Fuzzy Hash: A9A012911AD6067C300432111C02C36221FC0D0B11335D55EF5018404254400C800031

Function 00DFDA61 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFDA2B

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a39b8c3b2550989240dfc1a67ac56b26a04911744681164b549de0101ba88a13
Instruction ID: abe8a6c9d9cb8d10d2f967ac5707a71c82b3c63ad490a9d64e7190f2c14b7502
Opcode Fuzzy Hash: a39b8c3b2550989240dfc1a67ac56b26a04911744681164b549de0101ba88a13
Instruction Fuzzy Hash: A9A012911AD6067C300432111C02C36221FC0D0B11335D55EF5018404254400C800031

Function 00DFD7D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63cbee25c51d11bddddf4bbd13b7d67ba511ccdb8bf5003f1c4b060807c03a55
Instruction ID: 1ad0644b1dcb68ea643d3e1bdef942221c8ad8faeb2a43c281341c996ac5ee6c
Opcode Fuzzy Hash: 63cbee25c51d11bddddf4bbd13b7d67ba511ccdb8bf5003f1c4b060807c03a55
Instruction Fuzzy Hash: 87A012D215960A7C304421106C02C36220FC4C0B51335D519B101C4042644408400032

Function 00DFD7C5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 83781cd08f36b68f643af41a4fe5c746d5eeee3aaae83f93a1e94eb8eb4f14c3
Instruction ID: 1ad0644b1dcb68ea643d3e1bdef942221c8ad8faeb2a43c281341c996ac5ee6c
Opcode Fuzzy Hash: 83781cd08f36b68f643af41a4fe5c746d5eeee3aaae83f93a1e94eb8eb4f14c3
Instruction Fuzzy Hash: 87A012D215960A7C304421106C02C36220FC4C0B51335D519B101C4042644408400032

Function 00DFD7ED Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 46db394d4d5ed1690c1da0f5c06c4392ec4c6621061429b472dc6bc2378b530c
Instruction ID: 1ad0644b1dcb68ea643d3e1bdef942221c8ad8faeb2a43c281341c996ac5ee6c
Opcode Fuzzy Hash: 46db394d4d5ed1690c1da0f5c06c4392ec4c6621061429b472dc6bc2378b530c
Instruction Fuzzy Hash: 87A012D215960A7C304421106C02C36220FC4C0B51335D519B101C4042644408400032

Function 00DFD7E3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a428c8c78ed6183c1811c8bc4bc273e0dc823d67e5493b7e5727fd8307f33cc
Instruction ID: 1ad0644b1dcb68ea643d3e1bdef942221c8ad8faeb2a43c281341c996ac5ee6c
Opcode Fuzzy Hash: 5a428c8c78ed6183c1811c8bc4bc273e0dc823d67e5493b7e5727fd8307f33cc
Instruction Fuzzy Hash: 87A012D215960A7C304421106C02C36220FC4C0B51335D519B101C4042644408400032

Function 00DFD793 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 32026242dd5d0ac654399afc1307c7f589042a8c61e0e20a6cdd400a1a228932
Instruction ID: 1ad0644b1dcb68ea643d3e1bdef942221c8ad8faeb2a43c281341c996ac5ee6c
Opcode Fuzzy Hash: 32026242dd5d0ac654399afc1307c7f589042a8c61e0e20a6cdd400a1a228932
Instruction Fuzzy Hash: 87A012D215960A7C304421106C02C36220FC4C0B51335D519B101C4042644408400032

Function 00DFD7BB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5cef511c8bfdf08ef2296a82163d0bb7c1fb0836c5368d483ae6ed9dcb21e12f
Instruction ID: 1ad0644b1dcb68ea643d3e1bdef942221c8ad8faeb2a43c281341c996ac5ee6c
Opcode Fuzzy Hash: 5cef511c8bfdf08ef2296a82163d0bb7c1fb0836c5368d483ae6ed9dcb21e12f
Instruction Fuzzy Hash: 87A012D215960A7C304421106C02C36220FC4C0B51335D519B101C4042644408400032

Function 00DFD7B1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a771be7aee48cbaa5b782b1b92ad77cdca008c47f2ad294727ca668bd48491eb
Instruction ID: 1ad0644b1dcb68ea643d3e1bdef942221c8ad8faeb2a43c281341c996ac5ee6c
Opcode Fuzzy Hash: a771be7aee48cbaa5b782b1b92ad77cdca008c47f2ad294727ca668bd48491eb
Instruction Fuzzy Hash: 87A012D215960A7C304421106C02C36220FC4C0B51335D519B101C4042644408400032

Function 00DFD7A7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aeb4f8e45253cc64b057d5020604258498a2716ed7ec79e37b8e1b1696ab5a02
Instruction ID: 1ad0644b1dcb68ea643d3e1bdef942221c8ad8faeb2a43c281341c996ac5ee6c
Opcode Fuzzy Hash: aeb4f8e45253cc64b057d5020604258498a2716ed7ec79e37b8e1b1696ab5a02
Instruction Fuzzy Hash: 87A012D215960A7C304421106C02C36220FC4C0B51335D519B101C4042644408400032

Function 00DFD775 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8b9d98ecb75282cdb8895a9c29d5b3ddcebc935caf9378b2e45f60bef6622fc1
Instruction ID: 1ad0644b1dcb68ea643d3e1bdef942221c8ad8faeb2a43c281341c996ac5ee6c
Opcode Fuzzy Hash: 8b9d98ecb75282cdb8895a9c29d5b3ddcebc935caf9378b2e45f60bef6622fc1
Instruction Fuzzy Hash: 87A012D215960A7C304421106C02C36220FC4C0B51335D519B101C4042644408400032

Function 00DFD72F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFD6F9

Part of subcall function 00DFDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFDE2C
Part of subcall function 00DFDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFDE3D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c33e5de35cc44df43b372ba195f78210d2d5db0cd9698f9e5ba537b2c137fee3
Instruction ID: 1ad0644b1dcb68ea643d3e1bdef942221c8ad8faeb2a43c281341c996ac5ee6c
Opcode Fuzzy Hash: c33e5de35cc44df43b372ba195f78210d2d5db0cd9698f9e5ba537b2c137fee3
Instruction Fuzzy Hash: 87A012D215960A7C304421106C02C36220FC4C0B51335D519B101C4042644408400032

Function 00DE9DFF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00DE90AB,?,?,-00001960), ref: 00DE9E02

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 944ad6d665650f1446121e7a1a2413a4e3924c83108bb11c91fc7b6f3b44c6c3
Instruction ID: 7e5e528146a54c21dd414cd531bc97bbe357709543eef806c948840e6f2283aa
Opcode Fuzzy Hash: 944ad6d665650f1446121e7a1a2413a4e3924c83108bb11c91fc7b6f3b44c6c3
Instruction Fuzzy Hash: 94B011B00A000A8A8E002F30CC088283A22EB2A30A30082A8A002CA0A0CB22C02BAA00

Non-executed Functions

Function 00DFB820 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE130B: GetDlgItem.USER32(00000000,00003021), ref: 00DE134F
Part of subcall function 00DE130B: SetWindowTextW.USER32(00000000,00E125B4), ref: 00DE1365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00DFB8B1
EndDialog.USER32(?,00000006), ref: 00DFB8C4
GetDlgItem.USER32(?,0000006C), ref: 00DFB8E0
SetFocus.USER32(00000000), ref: 00DFB8E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00DFB921
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00DFB958
FindFirstFileW.KERNEL32(?,?), ref: 00DFB96E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DFB98C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DFB99C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00DFB9B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00DFB9D4
_swprintf.LIBCMT ref: 00DFBA04

Part of subcall function 00DE3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE3FE9

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00DFBA17
FindClose.KERNEL32(00000000), ref: 00DFBA1E
_swprintf.LIBCMT ref: 00DFBA77
SetDlgItemTextW.USER32(?,00000068,?), ref: 00DFBA8A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00DFBAA7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00DFBAC7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DFBAD7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00DFBAF1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00DFBB09
_swprintf.LIBCMT ref: 00DFBB35
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00DFBB48
_swprintf.LIBCMT ref: 00DFBB9C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00DFBBAF

Part of subcall function 00DFA5BC: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00DFA5E2
Part of subcall function 00DFA5BC: GetNumberFormatW.KERNEL32(00000400,00000000,?,00E1D600,?,?), ref: 00DFA631

Strings

%s %s %s, xrefs: 00DFB9F2, 00DFBB27
REPLACEFILEDLG, xrefs: 00DFB847
%s %s, xrefs: 00DFBA69, 00DFBB8E

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: ce0e4df488b22d6e9acd9ebf1338cfd4ec29faf0ef0a08d6842bd59401a18711
Instruction ID: 122a1a785569774fa7d8df81547c2de491a08e9e6da0f746d50277eca477a540
Opcode Fuzzy Hash: ce0e4df488b22d6e9acd9ebf1338cfd4ec29faf0ef0a08d6842bd59401a18711
Instruction Fuzzy Hash: 2491A272648348BFD621DBA1CC49FFB77ACEB8A750F05881AF749D2081D77196098B72

Function 00DE7165 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE716A
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00DE72CA
CloseHandle.KERNEL32(00000000), ref: 00DE72DA

Part of subcall function 00DE7BCE: GetCurrentProcess.KERNEL32(00000020,?), ref: 00DE7BDD
Part of subcall function 00DE7BCE: GetLastError.KERNEL32 ref: 00DE7C23
Part of subcall function 00DE7BCE: CloseHandle.KERNEL32(?), ref: 00DE7C32

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00DE72E5
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00DE73F3
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00DE741F
CloseHandle.KERNEL32(?), ref: 00DE7430
GetLastError.KERNEL32(00000015,00000000,?), ref: 00DE7440
RemoveDirectoryW.KERNEL32(?), ref: 00DE748C
DeleteFileW.KERNEL32(?), ref: 00DE74B4

Strings

UNC\, xrefs: 00DE7215
SeCreateSymbolicLinkPrivilege, xrefs: 00DE7195
\??\, xrefs: 00DE71F0
SeRestorePrivilege, xrefs: 00DE718B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: ac891fd6b3fbaf44392710ab35f06a854811a9c43ac3aa70a935d3353e6e2645
Instruction ID: 3dc4c757979b039c09510a86bdce5ee83d26051b67b777487692fcaedeb738bc
Opcode Fuzzy Hash: ac891fd6b3fbaf44392710ab35f06a854811a9c43ac3aa70a935d3353e6e2645
Instruction Fuzzy Hash: FFB1BF71904255AEDF21EF65CC81BEEB7B8EF04300F144569FA49E7182DB74AA49CBB0

Function 00DE326D Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE3276
_memcmp.LIBVCRUNTIME ref: 00DE3363

Strings

h%u, xrefs: 00DE3616
hc%u, xrefs: 00DE3664
CMT, xrefs: 00DE3979

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 577a9061cf4220319060605a395a4173fcf0e28e8d10aa6739f4eff868d479c4
Instruction ID: 7ad6cba7b44be20d8e0399b95eecea05b30c470876d15308ce6cb7472f7cfa5b
Opcode Fuzzy Hash: 577a9061cf4220319060605a395a4173fcf0e28e8d10aa6739f4eff868d479c4
Instruction Fuzzy Hash: F6328F715142C49BDF18EF65C899AFA37A5EF14300F48547DFD8A8B282DB70AA49CB70

Function 00E0CECE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00E0D014

Strings

1#QNAN, xrefs: 00E0E21A
1#IND, xrefs: 00E0E20C
1#INF, xrefs: 00E0E221
1#SNAN, xrefs: 00E0E213

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5722c21a235492aa067948d2224eb8aa4e1031f0d3dac1f8d71ba835e22999c0
Instruction ID: 68dba2f445cc9539121dbaa720c5f5e0f25d0a025dd958d849e3cfd8c904cad4
Opcode Fuzzy Hash: 5722c21a235492aa067948d2224eb8aa4e1031f0d3dac1f8d71ba835e22999c0
Instruction Fuzzy Hash: 22C22771E086298FDB25CE689D407EAB7B5EB84304F1555EAD84DF7280E778AEC18F40

Function 00DE27D4 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE27DD
_strlen.LIBCMT ref: 00DE2D6B

Part of subcall function 00DF12D6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00DEB592,00000000,?,?,?,0001043C), ref: 00DF12F2

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE2ECC

Strings

CMT, xrefs: 00DE2EFF

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: ad2d3e6af8ebba878d7466ad82efce18e50da05b9c43a339fcb54d8b6cca6696
Instruction ID: a75b37a536c22c7542aec9c2d8bff7a439bc946b953fef3acdf0c14a1d92c60e
Opcode Fuzzy Hash: ad2d3e6af8ebba878d7466ad82efce18e50da05b9c43a339fcb54d8b6cca6696
Instruction Fuzzy Hash: 5762D2715002848FDB29EF3AC8956FA3BE5EF54304F09457EED9A8B282D670A945CB70

Function 00E0CA20 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Strings

;, xrefs: 00E0CA3D, 00E0CBE8, 00E0CE0C, 00E0CDA6, 00E0CC36, 00E0CBC4
;, xrefs: 00E0CE88, 00E0CC72, 00E0CB01

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID: ;$;
API String ID: 0-3178619623
Opcode ID: 7a0d7a063ca18aa33b8173c25e0cabb50717dc128e3e66a33e751a7d327b1497
Instruction ID: 80caa6abb11d57e029ed58059eaf60d534244070b8e449f3f7616411d774ff16
Opcode Fuzzy Hash: 7a0d7a063ca18aa33b8173c25e0cabb50717dc128e3e66a33e751a7d327b1497
Instruction Fuzzy Hash: E4020B71E002199BDF14CFA9C8806ADBBF1EF88314F25966AD919F7384D731A985CB90

Function 00E084EF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E085E7
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E085F1
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00E085FE

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d98c3c1c1b77f1f1cc8f224d661110dfb86b8830f76c6628e3225791dda431bf
Instruction ID: 79e941f05f3b1c6e64c39beb79c1b21c3e7044df5e3a34e3bb16908498be5cc4
Opcode Fuzzy Hash: d98c3c1c1b77f1f1cc8f224d661110dfb86b8830f76c6628e3225791dda431bf
Instruction Fuzzy Hash: 9E31C27590121CABCB21DF24DD88798BBB8FF08310F5081EAE50CA7291EB319B858F54

Function 00E0A928 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00E0AABB

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: a8c099f6bc385b6e62f4738e9da41e92570e68e8c37d08b8705aa04679cb1759
Instruction ID: 95a13a60696a184119759ded1fc6844cd4074af43e6a73372b44e007f15d6eaa
Opcode Fuzzy Hash: a8c099f6bc385b6e62f4738e9da41e92570e68e8c37d08b8705aa04679cb1759
Instruction Fuzzy Hash: A0310672A0024D6FCB249E78DC84EFB7BBDDB85318F4851A8F559A72D1E6309D84CB60

Function 00DFA5BC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00DFA5E2
GetNumberFormatW.KERNEL32(00000400,00000000,?,00E1D600,?,?), ref: 00DFA631

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 7390f35db967a5a80cb24689b7ba49ff35b364dfc254cbccfe6bdc8e43713f25
Instruction ID: 7438788df51bd7e107a5e6aa146c460944024bc0780a7ffd6e4b531012d8b0d3
Opcode Fuzzy Hash: 7390f35db967a5a80cb24689b7ba49ff35b364dfc254cbccfe6bdc8e43713f25
Instruction Fuzzy Hash: EA019E35214218BEDB10DF66EC05FEBBBBCEF49710F409422BA08E7150D3B09928C7A5

Function 00DE6E5E Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00DF10D8,?,00000200), ref: 00DE6E5E
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00DE6E7F

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9b74f8b5b48b89f3275d71ad97f6352a636be950373b5cbcd8752d9c9ae6a386
Instruction ID: 7966105f0daa79b58d7446c1fb4f05d160687e14fa90f2588087d99f578e40d9
Opcode Fuzzy Hash: 9b74f8b5b48b89f3275d71ad97f6352a636be950373b5cbcd8752d9c9ae6a386
Instruction Fuzzy Hash: 7BD0C7353843017EFA111E71CC05F6A77556759FC1F14D6047356ED0D0C570D128D62D

Function 00E10FD4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E10FCF,?,?,00000008,?,?,00E10C6F,00000000), ref: 00E11201

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ee8252debbd9aa95383b8b62c87cabc86508b61ce610283c9bafb277e7dcebab
Instruction ID: 755649793065994191edfcd8ce197514d083a558bd0810fcd298f6ad792b4912
Opcode Fuzzy Hash: ee8252debbd9aa95383b8b62c87cabc86508b61ce610283c9bafb277e7dcebab
Instruction Fuzzy Hash: 0AB16E31610608DFD715CF28C486BA57BE0FF45368F299698EA99DF2A1C335E9D2CB40

Function 00DE404E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 00DE4091

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: dd9b6269e3d921234ae79369201e3c5ae8186238ea1d1def347be406c96c4e07
Instruction ID: 84403e59a3025b1ca2a689d79967cf89f47742cc29e4f9edd889ceaab2f037f5
Opcode Fuzzy Hash: dd9b6269e3d921234ae79369201e3c5ae8186238ea1d1def347be406c96c4e07
Instruction Fuzzy Hash: 2BF1F4B1A083418FC348CF29D880A1AFBE1BFC8208F19892EF598D7751E734E9558F56

Function 00DEAC35 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00DEAC5A

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: f736792d2f2df9876b9b471214178f43a92173d9e2b2f981eb73c86f0645636d
Instruction ID: 7e2ddb1efee4fb0dee59b8902418793371bed0022e8ea7e3699da1db0a70b426
Opcode Fuzzy Hash: f736792d2f2df9876b9b471214178f43a92173d9e2b2f981eb73c86f0645636d
Instruction Fuzzy Hash: E5F01DB4A0421C8FC718DF1AEC416E977B6F75D310F2082A9D92963354D7B0A945CEA1

Function 00DFEEB3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001EEC0,00DFE905), ref: 00DFEEB8

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 059f96ac12a845aa35f752d4e350e8bca42f8696cc7311182afc387a6f08f1d2
Instruction ID: c2b812990a3abb4ea4604f5f6230919f5d8db6751e79f6d7b485d09db70062b9
Opcode Fuzzy Hash: 059f96ac12a845aa35f752d4e350e8bca42f8696cc7311182afc387a6f08f1d2
Instruction Fuzzy Hash:

Function 00E0B610 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00E0B610

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0e263d66df27b69959e7564ded875e51d9406fbb7b5969226e1e13bd52f0683b
Instruction ID: 8e0e9ddb3bb72331dbd9a504ffd32cffe92e6c519665f486b3dfd8e55c12baeb
Opcode Fuzzy Hash: 0e263d66df27b69959e7564ded875e51d9406fbb7b5969226e1e13bd52f0683b
Instruction Fuzzy Hash: D4A002746022019F9740CF365E0524D3595675559170680695706D5560D63444755641

Function 00DF5BE7 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39841cac9e84ab4e841f200c595f71da84c95fe04dc46ca835324e53b20566d
Instruction ID: d60c718908ec8f92bbeee0910cd319cd9ad547d29d1863645de3475faec4bc0f
Opcode Fuzzy Hash: a39841cac9e84ab4e841f200c595f71da84c95fe04dc46ca835324e53b20566d
Instruction Fuzzy Hash: C1621671604B899FCB25CF28C8906B9BBE1AF95304F0AC56DDADB8B746D630E945C720

Function 00DF702F Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5a6ee81230f9964c2b7d886b5441bde9d52927ebfacf8b9927f48809ae3912
Instruction ID: 04c60add84997e34bb7b1a19d7676ae1c612c920c7c45473ca003f6b22c12076
Opcode Fuzzy Hash: fd5a6ee81230f9964c2b7d886b5441bde9d52927ebfacf8b9927f48809ae3912
Instruction Fuzzy Hash: 8C62117060878A9FC719CF28C8805F9BBE1BF55308F19C66DDA968B742D730E955CBA0

Function 00DEEC54 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8dcf4ce7443567a3df9829512a6481c5c28437b96de24cb6201d7f4281e1479
Instruction ID: 4cebafc55e0a22fd5f4737b38842252c4bf6c7847649ed5e215c1d1b2482aee2
Opcode Fuzzy Hash: a8dcf4ce7443567a3df9829512a6481c5c28437b96de24cb6201d7f4281e1479
Instruction Fuzzy Hash: 77524BB26047018FC718CF19C891A6AF7E1FFCC304F498A2DE9859B255D734EA59CB86

Function 00DF69EB Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24d17c4d93f082b0e16db6c742580b4923c5bb1aaab54a2bea8779591c8fd90
Instruction ID: b53f389bac894a915367484c8f54ad2e12cf39ead0ab5eda25ea77b2288651fb
Opcode Fuzzy Hash: d24d17c4d93f082b0e16db6c742580b4923c5bb1aaab54a2bea8779591c8fd90
Instruction Fuzzy Hash: D612F3B160070A8BC728CF28D9906B9B7E0FF54308F15C92EE697C7A81D734E994CB65

Function 00DEBD53 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74961fcd4940da522cd83de6969d331c6a1077341a389d42148147683c966d3d
Instruction ID: b674eebc53903f0238f07316079a354aec708fb3558fa8c0560ab1b5f9a21f6d
Opcode Fuzzy Hash: 74961fcd4940da522cd83de6969d331c6a1077341a389d42148147683c966d3d
Instruction Fuzzy Hash: E0F19B716183818FC714EF2AC48062BBBE2EFC9314F185A2EF5D697251D730E9468F66

Function 00E00993 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 473f597802dc1ebba2a1506395253ff7685cb4ef195fea363fb74526bd9812f2
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 50C1C6322051930ADF2D463D897423FFBB15AA27B671A275DD4B7EB0C5FE20C5A4DA20

Function 00E00DC8 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 44f89ae9dceb161da0216c602220cf12792536141c8f741f5e337e9873f910e0
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 2FC1A7322051930ADF2D463DC97423FBBA15A927B671A27ADD4B7EF0C4FE20C5A4D620

Function 00E0055E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: ef2244306007598d081598e3d6a7cdf91286e6108b831da014b68decc190d7d3
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 64C1A9322051930ADF2D463DC93423FBBA15E917B671A276DD4B7DB0C5FE20D5A4DA20

Function 00E00146 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 9d9c39e0d148dd0fa8435b4c019110151d799fda1ebbb3a1fb3ca13e58ae945c
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 82C1D8322051930ADF2D463DC93423FBBA15EA17B671A276DD4B7EB0D5FE20C5A4DA10

Function 00DEE1E0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a4ff622209d6169245d0998983fbb3695934f2dc74133aa6ab4bc64c5720e0
Instruction ID: 974f345c633faffac1f0f26385af4764f2d5cc22912fa5d3f318afddbf69c067
Opcode Fuzzy Hash: 08a4ff622209d6169245d0998983fbb3695934f2dc74133aa6ab4bc64c5720e0
Instruction Fuzzy Hash: 29E157755083948FC314CF6AD48097ABBF0AF8A301F89095EF6D597392C235E91ADF62

Function 00DF39AC Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66462eb08bd74f8c30c79f1e955b78a3e9fbc8ee5d976a6d57d0dc80841f2e89
Instruction ID: 3eaa15507b914f17c66904e71703ed91e24df939b17bd68039b291031c96b1a4
Opcode Fuzzy Hash: 66462eb08bd74f8c30c79f1e955b78a3e9fbc8ee5d976a6d57d0dc80841f2e89
Instruction Fuzzy Hash: 94917AB020474E8BDB24FF29C891BBA77D4EF90300F16892DE6D687282DA74E644C771

Function 00E047A9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1abbd5cf5673a402d3ac126b0daaa5273cbbb9a7fc1c4e08247fe5cefa5cc876
Instruction ID: a999f493dc5fe5e50a1f6ea6f26139160e54e99678c6c8f4c0b0e3f9bee14a04
Opcode Fuzzy Hash: 1abbd5cf5673a402d3ac126b0daaa5273cbbb9a7fc1c4e08247fe5cefa5cc876
Instruction Fuzzy Hash: B1616BF260078A56DE3C95A88B957BF6394DB81308F50BD2AFB82FB1C1D611DDC28631

Function 00DF3CDD Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a18d49064e165be0d32872db8d66ea11280a91596ba4a1cde63f58a8bde047c
Instruction ID: 66a23409b97e4e4895d809530e91202f7aadbe2b4f1b8c09b07eeb55f8a7df5b
Opcode Fuzzy Hash: 3a18d49064e165be0d32872db8d66ea11280a91596ba4a1cde63f58a8bde047c
Instruction Fuzzy Hash: FA711B7160474A5BDB24EE2DC8C0B7D77E1EF90304F17892DFA868B282DA74DA858771

Function 00E0457A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 82f2aa4a7cc3e70f4002f355ef4b6122a186c1eb272b1726eb63464600c959ec
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: D251ADF1200A455BDB3459289B55BFF23D99B5330CF18350ADB82F72C2E626EEC18792

Function 00DEDDAC Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9322be99f9230aa2a067baa9f518db53c652c4ccbfa8689b7e77188a9051d24c
Instruction ID: d0940cedef4337e1545d8429185121a76ceee822b754d98cd86e7ac1e83555de
Opcode Fuzzy Hash: 9322be99f9230aa2a067baa9f518db53c652c4ccbfa8689b7e77188a9051d24c
Instruction Fuzzy Hash: 6381D49221A2E49EC7269F7F38E42F53FA15733301F1C01AAC4C5962A3C43645AEDB32

Function 00DEE7E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff988b80710f69ccecaf91dabc53fdcdc919a78aab03e7929580fa64e0120da
Instruction ID: dadb1be2cb8d78c578ad0ef6b86bcf511046a0849b37c402a4cf110a57a1a164
Opcode Fuzzy Hash: 2ff988b80710f69ccecaf91dabc53fdcdc919a78aab03e7929580fa64e0120da
Instruction Fuzzy Hash: A451AF319083D64FC712DF26958046EBFE1AEDA314F49499EE4E55B203C220D64ACBB3

Function 00DEF8A8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fae3a2eb033647af3a17c5476ceea25d9a664b273bee4d9ccd9ccb27016193f
Instruction ID: 87ad63767f0115936e3fb2186a6568ec8379cc936b9f6449a60ef50542aa63c1
Opcode Fuzzy Hash: 8fae3a2eb033647af3a17c5476ceea25d9a664b273bee4d9ccd9ccb27016193f
Instruction Fuzzy Hash: 48512771A083019FC748CF19D49055AF7E1FF88314F054A2EE899A7741D734E959CBD6

Function 00DF3731 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: a6b1fbd355d4b88791fe04e8ecd49b5b94613f0eb509917bcebe3007b93902fd
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: EF3116F160474A8FCB14EF28C85126ABBE0FB95300F16892DE595C7742C739EA59CBB1

Function 00DE5F0C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcc969c388fd221d509c659e842ce44de798a4311cd8765e43c2e819316b1a8
Instruction ID: db5d188f3a8dd7606ac06fb4b164678917be3de2e01b9b73c5c3ebef075cbed3
Opcode Fuzzy Hash: 0bcc969c388fd221d509c659e842ce44de798a4311cd8765e43c2e819316b1a8
Instruction Fuzzy Hash: CE218331A201A18F8B48DE2FECA087A7755BB86351346C12BFE469B3D5C534E929C7E0

Function 00DFBD35 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 428windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DFBD3A

Part of subcall function 00DFA986: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00DFAA4E

SetWindowTextW.USER32(?,?), ref: 00DFC062
_wcsrchr.LIBVCRUNTIME ref: 00DFC1EC
GetDlgItem.USER32(?,00000066), ref: 00DFC227
SetWindowTextW.USER32(00000000,?), ref: 00DFC237
SendMessageW.USER32(00000000,00000143,00000000,00E29472), ref: 00DFC245
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DFC270

Strings

<br>, xrefs: 00DFBFC5
Software\Microsoft\Windows\CurrentVersion, xrefs: 00DFC10B
ProgramFilesDir, xrefs: 00DFC136
%s.%d.tmp, xrefs: 00DFBF31

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 3f80554396533dec39533f98c15556166495043cd355ca219147146326fc6a7b
Instruction ID: 96251e029e85cc1d25406a19b3ce16bbcad3681220c03d4db6c98de7a0d04de0
Opcode Fuzzy Hash: 3f80554396533dec39533f98c15556166495043cd355ca219147146326fc6a7b
Instruction Fuzzy Hash: 72E17E7690025DAAEF24ABA5DD85DEE77BCEF04350F0580A6F659E2041EF709B848B70

Function 00DED9D8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DED9FE

Part of subcall function 00DE3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE3FE9

Part of subcall function 00DF14F2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00E1FEE8,?,00DED142,00000000,?,00000050,00E1FEE8), ref: 00DF150F

_strlen.LIBCMT ref: 00DEDA1F
SetDlgItemTextW.USER32(?,00E1D154,?), ref: 00DEDA7F
GetWindowRect.USER32(?,?), ref: 00DEDAB9
GetClientRect.USER32(?,?), ref: 00DEDAC5
GetWindowLongW.USER32(?,000000F0), ref: 00DEDB65
GetWindowRect.USER32(?,?), ref: 00DEDB92
SetWindowTextW.USER32(?,?), ref: 00DEDBD5
GetSystemMetrics.USER32(00000008), ref: 00DEDBDD
GetWindow.USER32(?,00000005), ref: 00DEDBE8
GetWindowRect.USER32(00000000,?), ref: 00DEDC15
GetWindow.USER32(00000000,00000002), ref: 00DEDC87

Strings

$%s:, xrefs: 00DED9F2
CAPTION, xrefs: 00DEDBB7
d, xrefs: 00DEDAE5

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: ada30a430a716e0953919e22bcb578830a08dc84bc22f1d3018ca7b7a556eb05
Instruction ID: e2dea3d133e16f9d3fca0e8ecf599e1209a40156b5f841db61c0b063460da1f0
Opcode Fuzzy Hash: ada30a430a716e0953919e22bcb578830a08dc84bc22f1d3018ca7b7a556eb05
Instruction Fuzzy Hash: 4B81B271109341AFD710DF6ACC89B6FBBE9EB89704F04491DFA84A7290D670E9498B62

Function 00E0C102 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E0C146

Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BCFE
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BD10
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BD22
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BD34
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BD46
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BD58
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BD6A
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BD7C
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BD8E
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BDA0
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BDB2
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BDC4
Part of subcall function 00E0BCE1: _free.LIBCMT ref: 00E0BDD6

_free.LIBCMT ref: 00E0C13B

Part of subcall function 00E0835E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0BE76,?,00000000,?,00000000,?,00E0BE9D,?,00000007,?,?,00E0C29A,?), ref: 00E08374
Part of subcall function 00E0835E: GetLastError.KERNEL32(?,?,00E0BE76,?,00000000,?,00000000,?,00E0BE9D,?,00000007,?,?,00E0C29A,?,?), ref: 00E08386

_free.LIBCMT ref: 00E0C15D
_free.LIBCMT ref: 00E0C172
_free.LIBCMT ref: 00E0C17D
_free.LIBCMT ref: 00E0C19F
_free.LIBCMT ref: 00E0C1B2
_free.LIBCMT ref: 00E0C1C0
_free.LIBCMT ref: 00E0C1CB
_free.LIBCMT ref: 00E0C203
_free.LIBCMT ref: 00E0C20A
_free.LIBCMT ref: 00E0C227
_free.LIBCMT ref: 00E0C23F

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 90e34f50de8365a6e4067b829db75e0a2b9ec73c3515f8d22ce068dac7e15eb4
Instruction ID: 88a10a8d4fcd3d155a48af68d33c1cd45613022672f318c413937d694f768bd6
Opcode Fuzzy Hash: 90e34f50de8365a6e4067b829db75e0a2b9ec73c3515f8d22ce068dac7e15eb4
Instruction Fuzzy Hash: 0F319032604605AFDB20AB78D941B5A73E9FF40714F24691AE498F71E2DF35ADC0C760

Function 00DFCBAE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00DFCBD1
GetClassNameW.USER32(00000000,?,00000800), ref: 00DFCBFD

Part of subcall function 00DF1708: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011708,00DEBA45,00000000,.exe,?,?,00000800,?,?,00DF854F,?), ref: 00DF171E

GetWindowLongW.USER32(00000000,000000F0), ref: 00DFCC19
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00DFCC30
GetObjectW.GDI32(00000000,00000018,?), ref: 00DFCC44

Part of subcall function 00DF9CEC: GetDC.USER32(00000000), ref: 00DF9CF8
Part of subcall function 00DF9CEC: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DF9D07
Part of subcall function 00DF9CEC: ReleaseDC.USER32(00000000,00000000), ref: 00DF9D15

Part of subcall function 00DF9CA9: GetDC.USER32(00000000), ref: 00DF9CB5
Part of subcall function 00DF9CA9: GetDeviceCaps.GDI32(00000000,00000058), ref: 00DF9CC4
Part of subcall function 00DF9CA9: ReleaseDC.USER32(00000000,00000000), ref: 00DF9CD2

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00DFCC6D
DeleteObject.GDI32(00000000), ref: 00DFCC74
GetWindow.USER32(00000000,00000002), ref: 00DFCC7D

Strings

STATIC, xrefs: 00DFCC03

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: 1d777ff422f0080d342281f893721ad76a0af7cd3c82a92b6e41d70b466fe0eb
Instruction ID: 97e1fe622f9ee4aa8a030610731fd802d5042e27948e942a76d610486113e63b
Opcode Fuzzy Hash: 1d777ff422f0080d342281f893721ad76a0af7cd3c82a92b6e41d70b466fe0eb
Instruction Fuzzy Hash: 7C11273A64135C7FEB206B719D0AFBF7A9CEF46741F06D411FB45B2091CA60898A86B0

Function 00E08D31 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E08D45

Part of subcall function 00E0835E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0BE76,?,00000000,?,00000000,?,00E0BE9D,?,00000007,?,?,00E0C29A,?), ref: 00E08374
Part of subcall function 00E0835E: GetLastError.KERNEL32(?,?,00E0BE76,?,00000000,?,00000000,?,00E0BE9D,?,00000007,?,?,00E0C29A,?,?), ref: 00E08386

_free.LIBCMT ref: 00E08D51
_free.LIBCMT ref: 00E08D5C
_free.LIBCMT ref: 00E08D67
_free.LIBCMT ref: 00E08D72
_free.LIBCMT ref: 00E08D7D
_free.LIBCMT ref: 00E08D88
_free.LIBCMT ref: 00E08D93
_free.LIBCMT ref: 00E08D9E
_free.LIBCMT ref: 00E08DAC

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f55d0e4e81eac4cd8e13e795bc4444e10336e61bcfa9bf7e894fb63e5e94a19d
Instruction ID: 6cf093902f4505cb6e6b9edf9c07b00cde4128e893ce1dc0bd4e93661f78e61d
Opcode Fuzzy Hash: f55d0e4e81eac4cd8e13e795bc4444e10336e61bcfa9bf7e894fb63e5e94a19d
Instruction Fuzzy Hash: 3E11B676100108BFCB11EF54CA42CDD3BA5FF44750B4565A2BA58AF2A6DA36EF909B80

Function 00DE214E Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

x%u, xrefs: 00DE2666
xc%u, xrefs: 00DE26C3
;%u, xrefs: 00DE2483

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 89f62e0ef9feab36087dd60cd1c5e1d0a2e03e40bd8126ec68689ce1668dbb48
Instruction ID: e76f6b75305d7c190ab19f0c414515cb1ce4eb5cf4d250d2589680cafc2e778f
Opcode Fuzzy Hash: 89f62e0ef9feab36087dd60cd1c5e1d0a2e03e40bd8126ec68689ce1668dbb48
Instruction Fuzzy Hash: D0F106716043C05ADB18FF2A8895BFE77DEAF94300F0C456DF9868B283DA649945C7B2

Function 00DFAC20 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE130B: GetDlgItem.USER32(00000000,00003021), ref: 00DE134F
Part of subcall function 00DE130B: SetWindowTextW.USER32(00000000,00E125B4), ref: 00DE1365

EndDialog.USER32(?,00000001), ref: 00DFAC70
SendMessageW.USER32(?,00000080,00000001,?), ref: 00DFAC97
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00DFACB0
SetWindowTextW.USER32(?,?), ref: 00DFACC1
GetDlgItem.USER32(?,00000065), ref: 00DFACCA
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00DFACDE
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00DFACF4

Strings

LICENSEDLG, xrefs: 00DFAC34

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 0f6d783a5114d34643db55927393ad8e7d90f8711b48c01863c7f023aac776a7
Instruction ID: 8d528c1a928598b921fc0d075fc5898d51c992991efc409450181cbedc74f1fe
Opcode Fuzzy Hash: 0f6d783a5114d34643db55927393ad8e7d90f8711b48c01863c7f023aac776a7
Instruction Fuzzy Hash: C9210779204208BFD6115F7BED49E7B3F6CEB46B81F068004F748B15A0D7629C86D632

Function 00DFCC9F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 178COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DFCE0D
GetExitCodeProcess.KERNEL32(?,?), ref: 00DFCE49
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DFCE6F
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DFCEFE

Part of subcall function 00DF1708: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011708,00DEBA45,00000000,.exe,?,?,00000800,?,?,00DF854F,?), ref: 00DF171E

Strings

.inf, xrefs: 00DFCD8A
, xrefs: 00DFCD1F
.exe, xrefs: 00DFCE79

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExitHandleProcessString
String ID: $.exe$.inf
API String ID: 3583256687-2452507128
Opcode ID: f44139c00119bc43f3586069f5bb7466ae2a84ec037e0a7b92821058957709d0
Instruction ID: d74dc727e9e6961d02239b20075d6e2177a3143f9ce1e6974fd8c22b46bb4090
Opcode Fuzzy Hash: f44139c00119bc43f3586069f5bb7466ae2a84ec037e0a7b92821058957709d0
Instruction Fuzzy Hash: 0A61E57042838C9BDB319F11DA046BBBBE5AF81344F0DA81DF6C4A7150E7B189A9D771

Function 00DE93E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE93E5
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00DE9408
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00DE9427

Part of subcall function 00DF1708: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011708,00DEBA45,00000000,.exe,?,?,00000800,?,?,00DF854F,?), ref: 00DF171E

_swprintf.LIBCMT ref: 00DE94C3

Part of subcall function 00DE3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE3FE9

MoveFileW.KERNEL32(?,?), ref: 00DE9532
MoveFileW.KERNEL32(?,?), ref: 00DE9572

Strings

rtmp%d, xrefs: 00DE94AC

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 41f59c55139a5bab074c7a9f2e5ae605538bb1d2746c77a9c6b0be7ddd804b6e
Instruction ID: ca0b8fe906ed6a1b10067a136d074475019c606edab617096e911bede1ab854d
Opcode Fuzzy Hash: 41f59c55139a5bab074c7a9f2e5ae605538bb1d2746c77a9c6b0be7ddd804b6e
Instruction Fuzzy Hash: 914151719022996ACF21FB628D55AEEB77CEF44380F0448A5B645E7041EB749B84CB74

Function 00DF09EA Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00DF09FD

Part of subcall function 00DEAC35: GetVersionExW.KERNEL32(?), ref: 00DEAC5A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00DF0A20
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00DF0A32
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00DF0A43
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF0A53
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF0A63
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DF0A9D
__aullrem.LIBCMT ref: 00DF0B2B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: de59d75d6713ea6a52bb291e582c10f8a6028d3ed29e28dfb850f70bf05f3cf1
Instruction ID: 805c22d45590e06b51cd946e4d3a627696cd9d8b13b701c6c538c66365248209
Opcode Fuzzy Hash: de59d75d6713ea6a52bb291e582c10f8a6028d3ed29e28dfb850f70bf05f3cf1
Instruction Fuzzy Hash: 62414E7150830A9FC310DF65C8809ABFBF8FF88715F048A2EF69692250E734E558CB61

Function 00E0EC6D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00E0F3E2,00000000,00000000,00000000,00000000,00000000,00E0487F), ref: 00E0ECAF
__fassign.LIBCMT ref: 00E0ED2A
__fassign.LIBCMT ref: 00E0ED45
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00E0ED6B
WriteFile.KERNEL32(?,00000000,00000000,00E0F3E2,00000000,?,?,?,?,?,?,?,?,?,00E0F3E2,00000000), ref: 00E0ED8A
WriteFile.KERNEL32(?,00000000,00000001,00E0F3E2,00000000,?,?,?,?,?,?,?,?,?,00E0F3E2,00000000), ref: 00E0EDC3

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: afcba19c5b18e3686a5c5c4d62b968b91a014f5a889d8a6f823795a1e42452d2
Instruction ID: 654c8f59d6736c7ed048a573491cb331205c5fd80fd75ca6ca47e0bc958aea31
Opcode Fuzzy Hash: afcba19c5b18e3686a5c5c4d62b968b91a014f5a889d8a6f823795a1e42452d2
Instruction Fuzzy Hash: 5D51B371A002499FDB10CFA8DC85AEEBBF9EF09300F14496AE555F7391D7709985CBA0

Function 00DFC3AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00DFC3C1
_swprintf.LIBCMT ref: 00DFC3F5

Part of subcall function 00DE3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE3FE9

SetDlgItemTextW.USER32(?,00000066,00E2846A), ref: 00DFC415
_wcschr.LIBVCRUNTIME ref: 00DFC448
EndDialog.USER32(?,00000001), ref: 00DFC529

Strings

%s%s%u, xrefs: 00DFC3EA

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: f15787d111054d083cae480d64113fe8789d931df8b43279281d51d5bd1ddf3b
Instruction ID: 7134da53613a1c334b751203b18a75cdd042de3970fea6779c704410e9e55b59
Opcode Fuzzy Hash: f15787d111054d083cae480d64113fe8789d931df8b43279281d51d5bd1ddf3b
Instruction Fuzzy Hash: 4041847191065DAEEF24EBA1DD85EEE77B8EB04304F0190A6F608E6051EF709A948F71

Function 00DF8DB2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00DF8E88
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00DF8EA9

Strings

<html>, xrefs: 00DF8DF7, 00DF8E30
</html>, xrefs: 00DF8E5A
utf-8"></head>, xrefs: 00DF8E0D
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00DF8E02

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: ca8392211d676eb2bc09445b15f35c3cc0d387619d351fb8f2738e89fa4c6e82
Instruction ID: 72606b040862e31cfc76a90b3cebaaf6f396959946dec392359bbccdeab5e560
Opcode Fuzzy Hash: ca8392211d676eb2bc09445b15f35c3cc0d387619d351fb8f2738e89fa4c6e82
Instruction Fuzzy Hash: 9431153260431A7ED721AF309C02FBB7B98EF41720F098519FA11A61C1EF759A4993B6

Function 00DF95B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00DF95CE
GetWindowRect.USER32(?,00000000), ref: 00DF9613
ShowWindow.USER32(?,00000005,00000000), ref: 00DF96AA
SetWindowTextW.USER32(?,00000000), ref: 00DF96B2
ShowWindow.USER32(00000000,00000005), ref: 00DF96C8

Strings

RarHtmlClassName, xrefs: 00DF9674

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 96e26f67eff8496a3adb2a23910996c0d506e0e95daf4d84063f794bd5650713
Instruction ID: a00c35b8e908e79dfd7f285cb48d5cf7ae7f5734f15104c09d20f4e1d51903dd
Opcode Fuzzy Hash: 96e26f67eff8496a3adb2a23910996c0d506e0e95daf4d84063f794bd5650713
Instruction Fuzzy Hash: C4311031805308AFCB119F61DC48B7BBFA8EF48301F058599FB49AA252CB30D885CB71

Function 00E0BE84 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E0BE48: _free.LIBCMT ref: 00E0BE71

_free.LIBCMT ref: 00E0BED2

Part of subcall function 00E0835E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0BE76,?,00000000,?,00000000,?,00E0BE9D,?,00000007,?,?,00E0C29A,?), ref: 00E08374
Part of subcall function 00E0835E: GetLastError.KERNEL32(?,?,00E0BE76,?,00000000,?,00000000,?,00E0BE9D,?,00000007,?,?,00E0C29A,?,?), ref: 00E08386

_free.LIBCMT ref: 00E0BEDD
_free.LIBCMT ref: 00E0BEE8
_free.LIBCMT ref: 00E0BF3C
_free.LIBCMT ref: 00E0BF47
_free.LIBCMT ref: 00E0BF52
_free.LIBCMT ref: 00E0BF5D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 356fc02368e4ecaa91237549490116c2f84ce8f596afca7e47be9645dca2cef3
Instruction ID: 0aa21fc586372a07cf6d3624dea6914f889784df624f9b74bef5c63578670640
Opcode Fuzzy Hash: 356fc02368e4ecaa91237549490116c2f84ce8f596afca7e47be9645dca2cef3
Instruction Fuzzy Hash: 3A114C72540B08AAD620BBB0CD07FCB77DDBF44B00F441C15B399BA0D2DB79B6869650

Function 00E01F1A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E01F11,00DFF962), ref: 00E01F28
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E01F36
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E01F4F
SetLastError.KERNEL32(00000000,?,00E01F11,00DFF962), ref: 00E01FA1

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2fcb0958ba2c925d86a8edd2875af9609dd22df97330b565c239d6acc8e96303
Instruction ID: f6dc2d1b3480ed512943706224a85570532c1d9707160d0f32759097f3c7310f
Opcode Fuzzy Hash: 2fcb0958ba2c925d86a8edd2875af9609dd22df97330b565c239d6acc8e96303
Instruction Fuzzy Hash: 48012B3230D3236EE7142F76BC856AA2B99EF567B9720636EF114BD0E0EF114CE69144

Function 00DFDAF0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

KERNEL32.DLL, xrefs: 00DFDB0A
ReleaseSRWLockExclusive, xrefs: 00DFDB2F
AcquireSRWLockExclusive, xrefs: 00DFDB1F

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 1c2cc4f3bf1e56c3c5267d32eeb80d4c85b0166dff8481ae77f1db131fc578ab
Instruction ID: bbd9b8e49088fb3041d6789fccec3f261130663bfcb879c96874cd2004e2309b
Opcode Fuzzy Hash: 1c2cc4f3bf1e56c3c5267d32eeb80d4c85b0166dff8481ae77f1db131fc578ab
Instruction Fuzzy Hash: 73012671B8022A5F4F204E662C886F737AB670275131FE17AEB01E3280D611C885D7B4

Function 00DF0C1E Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF0C6D

Part of subcall function 00DEAC35: GetVersionExW.KERNEL32(?), ref: 00DEAC5A

LocalFileTimeToFileTime.KERNEL32(?,00DF0C18), ref: 00DF0C91
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DF0CA7
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00DF0CB6
SystemTimeToFileTime.KERNEL32(?,00DF0C18), ref: 00DF0CC4
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF0CD2

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 2e49fd41a57eacbc174f965d664a595129fc1f97f1ed2c5eceaf6e57dea0cd1c
Instruction ID: a05af07e649f2aec4c5ff80e9407b42441dab0a9081abae3c08e261ed5a40f31
Opcode Fuzzy Hash: 2e49fd41a57eacbc174f965d664a595129fc1f97f1ed2c5eceaf6e57dea0cd1c
Instruction Fuzzy Hash: B031C87A90020EAFCB00DFE5D8849EFBBB8FF58700B05855AEA55E7210E7309555CB79

Function 00DF9110 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00DF9134
_memcmp.LIBVCRUNTIME ref: 00DF914B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 80424327a04bff97e03e0ea678f6dbb2fe04a2f8d4fe1f8485c9c8501d18a689
Instruction ID: 4616f8e297ddde1c68b752c4de0ce947db00bae334f53fe4ff9e1c537b7cc40b
Opcode Fuzzy Hash: 80424327a04bff97e03e0ea678f6dbb2fe04a2f8d4fe1f8485c9c8501d18a689
Instruction Fuzzy Hash: 4121A3B1A0430FABD704AF10CC91F7BB7A9AF54744B16C138FE44AB241E230DE4586B0

Function 00E08E25 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00E1FF50,00E03C54,00E1FF50,?,?,00E036CF,?,?,00E1FF50), ref: 00E08E29
_free.LIBCMT ref: 00E08E5C
_free.LIBCMT ref: 00E08E84
SetLastError.KERNEL32(00000000,?,00E1FF50), ref: 00E08E91
SetLastError.KERNEL32(00000000,?,00E1FF50), ref: 00E08E9D
_abort.LIBCMT ref: 00E08EA3

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9091006484a4364b77e54652e99797a867d5e9e59852673c4feaa9e1cd360886
Instruction ID: 2e53994152908d78aa73a450aef456687559d7ea3fb18c251926ed43d78ed421
Opcode Fuzzy Hash: 9091006484a4364b77e54652e99797a867d5e9e59852673c4feaa9e1cd360886
Instruction Fuzzy Hash: 20F028361047002AD2127735FE0AF9F26A69BD0BA5F353228F6E9B21D1EF6088C3C025

Function 00DFA8E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00DE130B: GetDlgItem.USER32(00000000,00003021), ref: 00DE134F
Part of subcall function 00DE130B: SetWindowTextW.USER32(00000000,00E125B4), ref: 00DE1365

EndDialog.USER32(?,00000001), ref: 00DFA92E
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00DFA946
SetDlgItemTextW.USER32(?,00000067,?), ref: 00DFA974

Strings

pZ, xrefs: 00DFA952
GETPASSWORD1, xrefs: 00DFA8F9

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$pZ
API String ID: 445417207-1351459933
Opcode ID: 51535b1c931569ca4716797989dfbb88a5699442cb1da6b497f3bf083325743d
Instruction ID: 7bf3008f00c3f6a5dabfb9020bb6a14e9cc2e51c7f8df6fffba47549c095c439
Opcode Fuzzy Hash: 51535b1c931569ca4716797989dfbb88a5699442cb1da6b497f3bf083325743d
Instruction Fuzzy Hash: D611487690011C7ADB21AA799D09FFB7B7CEB4A700F464070FB89B2080C2E1D9819A72

Function 00DFCB10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00DE130B: GetDlgItem.USER32(00000000,00003021), ref: 00DE134F
Part of subcall function 00DE130B: SetWindowTextW.USER32(00000000,00E125B4), ref: 00DE1365

EndDialog.USER32(?,00000001), ref: 00DFCB5B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00DFCB71
SetDlgItemTextW.USER32(?,00000066,?), ref: 00DFCB85
SetDlgItemTextW.USER32(?,00000068), ref: 00DFCB94

Strings

RENAMEDLG, xrefs: 00DFCB28

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: fa018afc72e7123b426f2338cb101b166c610685e0635733964ece21c5c1dd15
Instruction ID: 730215f7eb0cb978e254e9c9dc05a5da767b4805afe5221f012ad0fe20c94e27
Opcode Fuzzy Hash: fa018afc72e7123b426f2338cb101b166c610685e0635733964ece21c5c1dd15
Instruction Fuzzy Hash: 4301F53A2A935C7ED6105B76AE0AFB67B6CEB5AB02F059400F345B60D0C6A19819C771

Function 00E02319 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00E02330

Part of subcall function 00E02968: ___AdjustPointer.LIBCMT ref: 00E029B2

_UnwindNestedFrames.LIBCMT ref: 00E02347
___FrameUnwindToState.LIBVCRUNTIME ref: 00E02359
CallCatchBlock.LIBVCRUNTIME ref: 00E0237D

Strings

E', xrefs: 00E0233C, 00E0232D

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: E'
API String ID: 2633735394-535256440
Opcode ID: 85922d69eac58b553849b4939f9ebe2b6291e1533c257ba7745a1c0a1e2d1bc0
Instruction ID: aaabe8da3d67fe68d80deb2dcd5817b32bcb200d70f73f6605d85adfb4dd4c01
Opcode Fuzzy Hash: 85922d69eac58b553849b4939f9ebe2b6291e1533c257ba7745a1c0a1e2d1bc0
Instruction Fuzzy Hash: 9701D73240010ABBCF129F55CC09EEA7BEAEF58754F159019FA5875161C33AE8A1EBA0

Function 00E073E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E07399,?,?,00E07339,?,00E1AAB8,0000000C,00E07490,?,00000002), ref: 00E07408
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E0741B
FreeLibrary.KERNEL32(00000000,?,?,?,00E07399,?,?,00E07339,?,00E1AAB8,0000000C,00E07490,?,00000002,00000000), ref: 00E0743E

Strings

CorExitProcess, xrefs: 00E07413
mscoree.dll, xrefs: 00E07401

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6e92615e13f2e4489e4dc83f37b344099dcb8033190a6a18da5a80eb5e1856d4
Instruction ID: 32d52663dc819b833f698269ab7d50859232904317c8577192f9b180f0594d33
Opcode Fuzzy Hash: 6e92615e13f2e4489e4dc83f37b344099dcb8033190a6a18da5a80eb5e1856d4
Instruction Fuzzy Hash: D8F0A970A0520CBFCB145F55DC09BDDBFB4EB04715F009058F905B2290DB705A94CB90

Function 00DEEAB3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DEFFE3: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DEFFFE
Part of subcall function 00DEFFE3: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DEEAC6,Crypt32.dll,00000000,00DEEB4A,?,?,00DEEB2C,?,?,?), ref: 00DF0020

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00DEEAD2
GetProcAddress.KERNEL32(00E271C0,CryptUnprotectMemory), ref: 00DEEAE2

Strings

CryptUnprotectMemory, xrefs: 00DEEAD8
Crypt32.dll, xrefs: 00DEEABC
CryptProtectMemory, xrefs: 00DEEACC

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 662837f51244b7270f735ea486777924b016a616645bbf7db2f005392e5e58af
Instruction ID: 65b547317b6d1d68ec05520e10807ec151d7e892342e29b2372c6dc3177cfe97
Opcode Fuzzy Hash: 662837f51244b7270f735ea486777924b016a616645bbf7db2f005392e5e58af
Instruction Fuzzy Hash: EAE01A709007819ECB216F2A9C08A8A7AE4AB18714F04D82DB585E3150D6B494D48B60

Function 00E07C09 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E07C7B
_free.LIBCMT ref: 00E07C9B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6b0684461d243fde9589405922024548bd9159ca9e443821434066381e4b701d
Instruction ID: 538d0c7e93d3d6f9645e7ca75a4490baf43ac8a94c055420f1f5f60e1927d3a3
Opcode Fuzzy Hash: 6b0684461d243fde9589405922024548bd9159ca9e443821434066381e4b701d
Instruction Fuzzy Hash: FC41B072E002009FDB24DF78C881A6DB7E6EF89714B1555A9E555FB281DB31AE81CB80

Function 00E0B510 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E0B519
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E0B53C

Part of subcall function 00E08398: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E03866,?,0000015D,?,?,?,?,00E04D42,000000FF,00000000,?,?), ref: 00E083CA

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E0B562
_free.LIBCMT ref: 00E0B575
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E0B584

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: af378258a8d89b8a1054693633e2239be87230045a63dd71de2fd25c6d16fce4
Instruction ID: b5f4ae1824505dc58340e84a47d5b9efa07bb3dec5de818778a26776a9936149
Opcode Fuzzy Hash: af378258a8d89b8a1054693633e2239be87230045a63dd71de2fd25c6d16fce4
Instruction Fuzzy Hash: E901B572B01210BFA3215A767C48CBF6A6EFEC6BA43154169BA04F2190DB618D8191B0

Function 00E08EA9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E087DF,00E0847B,?,00E08E53,00000001,00000364,?,00E036CF,?,?,00E1FF50), ref: 00E08EAE
_free.LIBCMT ref: 00E08EE3
_free.LIBCMT ref: 00E08F0A
SetLastError.KERNEL32(00000000,?,00E1FF50), ref: 00E08F17
SetLastError.KERNEL32(00000000,?,00E1FF50), ref: 00E08F20

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 89a7a547cd4c8320b874bd741503e1e1381965f191be743acc380238123c8ef9
Instruction ID: b49c3caf620a80c04e7cd8bd2ed5afa344fd3dedb43c3709fb2c3156e04500e8
Opcode Fuzzy Hash: 89a7a547cd4c8320b874bd741503e1e1381965f191be743acc380238123c8ef9
Instruction Fuzzy Hash: 890149362046022BD7126B35AF49DAF219BDBD03B53252238F695B22D2DE608C868020

Function 00DF06B9 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00DF09A1: ResetEvent.KERNEL32(?), ref: 00DF09B3
Part of subcall function 00DF09A1: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00DF09C7

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00DF06ED
CloseHandle.KERNEL32(?,?), ref: 00DF0707
DeleteCriticalSection.KERNEL32(?), ref: 00DF0720
CloseHandle.KERNEL32(?), ref: 00DF072C
CloseHandle.KERNEL32(?), ref: 00DF0738

Part of subcall function 00DF07AC: WaitForSingleObject.KERNEL32(?,000000FF,00DF08CB,?,?,00DF094F,?,?,?,?,?,00DF0939), ref: 00DF07B2
Part of subcall function 00DF07AC: GetLastError.KERNEL32(?,?,00DF094F,?,?,?,?,?,00DF0939), ref: 00DF07BE

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 22912f919c306b5316446787f3fcb16247946c916289cb8747149699d5ad8611
Instruction ID: 354530e338a90021622f509ddabd4a97e60b3e5f813485bdf125ea7a680558d3
Opcode Fuzzy Hash: 22912f919c306b5316446787f3fcb16247946c916289cb8747149699d5ad8611
Instruction Fuzzy Hash: 33019272040708EFC722AF69DC84BD6BFE9FB48710F00866DF26A93161CB756958DB60

Function 00E0BDDF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E0BDF7

Part of subcall function 00E0835E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0BE76,?,00000000,?,00000000,?,00E0BE9D,?,00000007,?,?,00E0C29A,?), ref: 00E08374
Part of subcall function 00E0835E: GetLastError.KERNEL32(?,?,00E0BE76,?,00000000,?,00000000,?,00E0BE9D,?,00000007,?,?,00E0C29A,?,?), ref: 00E08386

_free.LIBCMT ref: 00E0BE09
_free.LIBCMT ref: 00E0BE1B
_free.LIBCMT ref: 00E0BE2D
_free.LIBCMT ref: 00E0BE3F

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: aca6157d8ef287d9eb2688b77d630deab2ad2441c7f39ba7f2fe9d906e0d6fec
Instruction ID: d3a86e29cdf170b690d59a86efeb359c4ffe48e05da00c445665bc5383a8eb08
Opcode Fuzzy Hash: aca6157d8ef287d9eb2688b77d630deab2ad2441c7f39ba7f2fe9d906e0d6fec
Instruction Fuzzy Hash: E4F0FF73508214ABC620DF55FA86D9A73E9FB80B247586C06F148F7590CB25FDC08694

Function 00E07E80 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E07E9E

Part of subcall function 00E0835E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0BE76,?,00000000,?,00000000,?,00E0BE9D,?,00000007,?,?,00E0C29A,?), ref: 00E08374
Part of subcall function 00E0835E: GetLastError.KERNEL32(?,?,00E0BE76,?,00000000,?,00000000,?,00E0BE9D,?,00000007,?,?,00E0C29A,?,?), ref: 00E08386

_free.LIBCMT ref: 00E07EB0
_free.LIBCMT ref: 00E07EC3
_free.LIBCMT ref: 00E07ED4
_free.LIBCMT ref: 00E07EE5

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8a0b225875de7f227a130b2c6f7813543e43685b99271226ab63ffa7c910e5cb
Instruction ID: 3c8de1efe68107a8fd52f3e9543672683842eb89c91e8322f3519099db6318ea
Opcode Fuzzy Hash: 8a0b225875de7f227a130b2c6f7813543e43685b99271226ab63ffa7c910e5cb
Instruction Fuzzy Hash: 8AF0BE7AC092209FC742AF16FE015443BA1FB86B20306166AF681766F1CB36199B8B85

Function 00E074E3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\zixing.exe,00000104), ref: 00E07523
_free.LIBCMT ref: 00E075EE
_free.LIBCMT ref: 00E075F8

Strings

C:\Users\user\Desktop\zixing.exe, xrefs: 00E0751A, 00E07521, 00E07550, 00E07588

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\zixing.exe
API String ID: 2506810119-1737737843
Opcode ID: e3c802b0e9c1d5d5012a410d234763df2296ebfa2feef9dc018d2fde72caf93a
Instruction ID: 2da57731f623878cbeefd76e7ba298f041c3159ff4bb1a1294963b0f91fc7967
Opcode Fuzzy Hash: e3c802b0e9c1d5d5012a410d234763df2296ebfa2feef9dc018d2fde72caf93a
Instruction Fuzzy Hash: 2F31B571E08218AFDB21DF999C819DEBBF8EF85310F105066F585B7290D671AE80CB90

Function 00DE754D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE7552

Part of subcall function 00DE3B26: __EH_prolog.LIBCMT ref: 00DE3B2B

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00DE7619

Part of subcall function 00DE7BCE: GetCurrentProcess.KERNEL32(00000020,?), ref: 00DE7BDD
Part of subcall function 00DE7BCE: GetLastError.KERNEL32 ref: 00DE7C23
Part of subcall function 00DE7BCE: CloseHandle.KERNEL32(?), ref: 00DE7C32

Strings

SeRestorePrivilege, xrefs: 00DE75AC
SeSecurityPrivilege, xrefs: 00DE7597

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 563934cd63d9b42570c7837c8d13d9a2bfc7c31865454ac31167dbd240369a5f
Instruction ID: 28dff4a6f7faf6c4757e9849ed4bfc5fac5888df1c8184ed06fb60a362dfc421
Opcode Fuzzy Hash: 563934cd63d9b42570c7837c8d13d9a2bfc7c31865454ac31167dbd240369a5f
Instruction Fuzzy Hash: 89319071A08288AEDF60FF669C01BEE7B79EF45354F04806AF549B7192D7704988CBB1

Function 00DFA3B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00DE130B: GetDlgItem.USER32(00000000,00003021), ref: 00DE134F
Part of subcall function 00DE130B: SetWindowTextW.USER32(00000000,00E125B4), ref: 00DE1365

EndDialog.USER32(?,00000001), ref: 00DFA438
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00DFA44D
SetDlgItemTextW.USER32(?,00000066,?), ref: 00DFA462

Strings

ASKNEXTVOL, xrefs: 00DFA3C8

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 8b204488f36ac55f3ae143fd9fa4debefd87329ceeeda5168d5c41594cdb16d5
Instruction ID: d704b4d88c0a5cef118bfc4214955c659a3598127d1db22111c5820f8c1d93ae
Opcode Fuzzy Hash: 8b204488f36ac55f3ae143fd9fa4debefd87329ceeeda5168d5c41594cdb16d5
Instruction Fuzzy Hash: 9111D672640248BFDB119F6DDD0DF767B69EF4A740F054010F748A71A0C6A1A945D736

Function 00DED103 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00DED16E
_strncpy.LIBCMT ref: 00DED1B8

Strings

@%s, xrefs: 00DED158
$%s, xrefs: 00DED163

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 40bfba27d77a7c3c7ddbc3bb54a8f616baccf0057bf3bfa9bdb41c45388b0bc5
Instruction ID: ec3bbc42e4211783f8dae8c847c0f14837983cbbbf2c39c1b1a968bb3b0b5289
Opcode Fuzzy Hash: 40bfba27d77a7c3c7ddbc3bb54a8f616baccf0057bf3bfa9bdb41c45388b0bc5
Instruction Fuzzy Hash: 0821A272540388AEDF20EFA5CC06FEE3BA9EF05300F040516FA14A61A2D771DA95CB71

Function 00DEB437 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DEB45E

Part of subcall function 00DE3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE3FE9

_wcschr.LIBVCRUNTIME ref: 00DEB47C
_wcschr.LIBVCRUNTIME ref: 00DEB48C

Strings

%c:\, xrefs: 00DEB454

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: a7488b112f09b10232a4805f29d182580ccca67e6533b14039f4d36b898212cf
Instruction ID: c4b17f72f2f1518e7ab00b0279c9bcc76ece8b8a2ab1373cdf54848a94f4f1b4
Opcode Fuzzy Hash: a7488b112f09b10232a4805f29d182580ccca67e6533b14039f4d36b898212cf
Instruction Fuzzy Hash: BD01452350435269D7207B769C86D6BB3ECEE85370B84841BF984D64C2FB34E880C7B1

Function 00DF0618 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00DEAB05,00000008,?,00000000,?,00DECAC8,?,00000000), ref: 00DF0651
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00DEAB05,00000008,?,00000000,?,00DECAC8,?,00000000), ref: 00DF065B
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00DEAB05,00000008,?,00000000,?,00DECAC8,?,00000000), ref: 00DF066B

Strings

Thread pool initialization failed., xrefs: 00DF0683

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 045c80f80e2f8daf36f5b41d6a234343db76bffac4c4699db45570ba5e85c2c2
Instruction ID: e10cd888a2f41124a4e0623263b1eadcc882a11c082587b9bc8937f1d290d684
Opcode Fuzzy Hash: 045c80f80e2f8daf36f5b41d6a234343db76bffac4c4699db45570ba5e85c2c2
Instruction Fuzzy Hash: 571191B15007089FC3215F66DC84AA7FBECEB99754F14882EF2DAC3201D6715990CB60

Function 00DFD1E1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00DFD21F, 00DFD253
RENAMEDLG, xrefs: 00DFD234

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: e2e2d3ee5b7acbadb474ef94daa3e02f5a5f99c1daacd08e7c5f5bbfcd01ad46
Instruction ID: 6ac63aaa4ed44485f9b81e2f3112f5147c214495dee5e2b1b22f149b28cb7471
Opcode Fuzzy Hash: e2e2d3ee5b7acbadb474ef94daa3e02f5a5f99c1daacd08e7c5f5bbfcd01ad46
Instruction Fuzzy Hash: DF019231A08348BFCB216F2AFC05AB67FABA745390B055021FA45A3231D231CC99E7F0

Function 00E0905E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E090E9
__alldvrm.LIBCMT ref: 00E092EA
__alldvrm.LIBCMT ref: 00E0930C

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 5368bc68b7d4e75d7d9cee32b5eb0aa7715ff483d2baf0e8f8fec88c13379cf7
Instruction ID: 1a43c48aa18550190db5f2e41e474171e7166eecddbcab733513337bb63c20e9
Opcode Fuzzy Hash: 5368bc68b7d4e75d7d9cee32b5eb0aa7715ff483d2baf0e8f8fec88c13379cf7
Instruction Fuzzy Hash: 88A14771A04346AFEB21CF68C8917AEBBE5EF55314F19416DE585BB2D3C23889C1CB50

Function 00E0BF68 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,7FE85006,00E03DA6,00000000,00000000,00E04DDB,?,00E04DDB,?,00000001,00E03DA6,7FE85006,00000001,00E04DDB,00E04DDB), ref: 00E0BFB5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E0C03E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E0C050
__freea.LIBCMT ref: 00E0C059

Part of subcall function 00E08398: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E03866,?,0000015D,?,?,?,?,00E04D42,000000FF,00000000,?,?), ref: 00E083CA

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 06cf40122ece0ae649c53b7794b2250b3479359dab673be098ecc81a9abff47a
Instruction ID: 2a87bcfb8509ec48c86109110268716246e0758450c325830042020c398c19da
Opcode Fuzzy Hash: 06cf40122ece0ae649c53b7794b2250b3479359dab673be098ecc81a9abff47a
Instruction Fuzzy Hash: 1531DE72A0020AAFDB248F65CC45EEF7BA5EB40714F148228FD08E7290E735CD94DBA0

Function 00DFAD3D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00DFAD4D
GetObjectW.GDI32(00000000,00000018,?), ref: 00DFAD6E
DeleteObject.GDI32(00000000), ref: 00DFAD90
DeleteObject.GDI32(00000000), ref: 00DFADB3

Part of subcall function 00DF9D9A: FindResourceW.KERNELBASE(00DFAD89,PNG,?,?,?,00DFAD89,00000066), ref: 00DF9DAC
Part of subcall function 00DF9D9A: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00DFAD89,00000066), ref: 00DF9DC4
Part of subcall function 00DF9D9A: LoadResource.KERNEL32(00000000,?,?,?,00DFAD89,00000066), ref: 00DF9DD7
Part of subcall function 00DF9D9A: LockResource.KERNEL32(00000000,?,?,?,00DFAD89,00000066), ref: 00DF9DE2

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: d105aa6e9c6bb20b2238583bda2db3dbcf7977c67d427ef03a8b3e172217c19b
Instruction ID: 3e9385d9e0624792be8ca6293008400041abb6461595dec117923e9b2a07f673
Opcode Fuzzy Hash: d105aa6e9c6bb20b2238583bda2db3dbcf7977c67d427ef03a8b3e172217c19b
Instruction Fuzzy Hash: 5801FC3698010D6BC71137355C15B7FBA6DDF82B92F0E8151FF04B7295EE218C0641B1

Function 00E01E66 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00E01E66
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00E01E6B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00E01E70

Part of subcall function 00E02F2E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00E02F3F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00E01E85

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: db56094726013a0e7960dbb605aab973f1732d5fd0b5120fa08f3f94fc27d9a5
Instruction ID: 46326c0255162404fab6c87897ab70e217e769268fb9876a1b700e568ab199f5
Opcode Fuzzy Hash: db56094726013a0e7960dbb605aab973f1732d5fd0b5120fa08f3f94fc27d9a5
Instruction Fuzzy Hash: 08C04C1C20030364EC103AF561062ED53D81D637C87A031C5AD603F0E35A1609CF1036

Function 00DF9EDB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00DF9D6F: GetDC.USER32(00000000), ref: 00DF9D73
Part of subcall function 00DF9D6F: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DF9D7E
Part of subcall function 00DF9D6F: ReleaseDC.USER32(00000000,00000000), ref: 00DF9D89

GetObjectW.GDI32(?,00000018,?), ref: 00DF9F0B

Part of subcall function 00DFA163: GetDC.USER32(00000000), ref: 00DFA16C
Part of subcall function 00DFA163: GetObjectW.GDI32(?,00000018,?), ref: 00DFA19B
Part of subcall function 00DFA163: ReleaseDC.USER32(00000000,?), ref: 00DFA233

Strings

(, xrefs: 00DFA021

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 31028e9d7bd91d446e961641dcfcff3647f80f04760e0d1fbda989dfa345ae65
Instruction ID: 33edffde8b6d34e6e890013389f1e94cef349afe2ebc3591255c509a205b5442
Opcode Fuzzy Hash: 31028e9d7bd91d446e961641dcfcff3647f80f04760e0d1fbda989dfa345ae65
Instruction Fuzzy Hash: 4B8117756083589FC610DF25CC44A6ABBF9FF88700F01895DFA9AE7260CB34AD05CB62

Function 00DF0D97 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DF0F51

Strings

%ls, xrefs: 00DF0DD6, 00DF0DEC
%s: %s, xrefs: 00DF0F60

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: f845e05558019de30917a47f1f5b9fe119839072735a58ad043419f1d8cf878c
Instruction ID: 7fc00b350178d5578deaa63d8c0342cbd4ad516bd968a9c3243825613cd99336
Opcode Fuzzy Hash: f845e05558019de30917a47f1f5b9fe119839072735a58ad043419f1d8cf878c
Instruction Fuzzy Hash: A25138316C834DF5EA212A948D42F367E16EF08B01F27C906B3D67A8D3C9A1D5506673

Function 00E0A798 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E0A904

Part of subcall function 00E086C9: IsProcessorFeaturePresent.KERNEL32(00000017,00E086B8,0000002C,00E1AC20,00E0B8E6,00000000,00000000,00E08EA8,?,?,00E086C5,00000000,00000000,00000000,00000000,00000000), ref: 00E086CB
Part of subcall function 00E086C9: GetCurrentProcess.KERNEL32(C0000417,00E1AC20,0000002C,00E083F6,00000016,00E08EA8), ref: 00E086ED
Part of subcall function 00E086C9: TerminateProcess.KERNEL32(00000000), ref: 00E086F4

Strings

*?, xrefs: 00E0A7DB
., xrefs: 00E0AABB

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 7862bbd4a364659598cbf5db2284bf22e5480a30c37370ad1f5e95b10fff7af4
Instruction ID: 37cfe7164078a586dc347c72a5864237d3c7c0a6b22087670e67e82b78f0e2c7
Opcode Fuzzy Hash: 7862bbd4a364659598cbf5db2284bf22e5480a30c37370ad1f5e95b10fff7af4
Instruction Fuzzy Hash: 83518171E002099FDF14DFA8C881AADB7F5EF58314F298179E454F7381E6319E428B51

Function 00DE7704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE7709
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DE78A5

Part of subcall function 00DEA384: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00DEA1BA,?,?,?,00DEA053,?,00000001,00000000,?,?), ref: 00DEA398
Part of subcall function 00DEA384: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00DEA1BA,?,?,?,00DEA053,?,00000001,00000000,?,?), ref: 00DEA3C9

Strings

:, xrefs: 00DE777A

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 86117925986785282c3d34b4466388a8bdbf4d06adc2b85d24c1601c69fbc9a7
Instruction ID: 9046557584349d7c28da7a61be62e3525be9901734de21ae8958a26f594fa499
Opcode Fuzzy Hash: 86117925986785282c3d34b4466388a8bdbf4d06adc2b85d24c1601c69fbc9a7
Instruction Fuzzy Hash: 2C419F71805298AADF25FB52CC99EEEB77CEF41300F0040E9B609A6082DB705F89DB71

Function 00DEB5AC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 00DEB5FE, 00DEB63A, 00DEB69B, 00DEB6EE
UNC, xrefs: 00DEB648

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 1d6a0c3ee77be236af10cc9b92d5cc4888dbad576bd5d9d50c1ec7d0ffd58e2b
Instruction ID: b3436526f4fbb57c81157c121ad1095427ff8da38027fcc9feae2c82f9d59e53
Opcode Fuzzy Hash: 1d6a0c3ee77be236af10cc9b92d5cc4888dbad576bd5d9d50c1ec7d0ffd58e2b
Instruction Fuzzy Hash: 27418F35400399AACB21BF62DC81EEF7BADEF853A0B144467F858A7551D770E9908BB0

Function 00DF41A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00DF4348

Strings

H3, xrefs: 00DF42B5
X3, xrefs: 00DF42E9

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: Exception@8Throw
String ID: H3$X3
API String ID: 2005118841-767601298
Opcode ID: 08fa63a3e55d5bd41dc87ccad3a1bfd2d723f07e3fde05cfab0b1066af973f1c
Instruction ID: f4685e8f4d40a34d869b66d483de51110b1b05eae985e1b9c8ddfd90eddb044b
Opcode Fuzzy Hash: 08fa63a3e55d5bd41dc87ccad3a1bfd2d723f07e3fde05cfab0b1066af973f1c
Instruction Fuzzy Hash: 99418D706007048FD314DF28C891BAAB7E5FF98314F05892DEA9AC7351EB76E948CB61

Function 00DF8F06 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00DF8F14

Strings

about:blank, xrefs: 00DF8FD2
Shell.Explorer, xrefs: 00DF8F3F

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 8f4ee77467f08260de6922d2088aadc8c19fe85ee177113f695d3a275c037d9c
Instruction ID: 531fee2f30e839d494a708f67b17bc643438943a40580862f75b30c3e0f9acce
Opcode Fuzzy Hash: 8f4ee77467f08260de6922d2088aadc8c19fe85ee177113f695d3a275c037d9c
Instruction Fuzzy Hash: 57218F726143089FCB08AF65D895A7A77A5FF84310B16C05DFA0A9F292DE70EC01DB72

Function 00DFD2A3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,0001043C,00DFA8E0,?,?), ref: 00DFD31B

Strings

GETPASSWORD1, xrefs: 00DFD310
pZ, xrefs: 00DFD32B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$pZ
API String ID: 665744214-1351459933
Opcode ID: 9d1d428200f87b1398cb9d8458f2fb074ba41614b7a1658317af7310413044d3
Instruction ID: 1b57bf28456ae424430a70755a43c7a037d9aea43f19d632215df622075cc24a
Opcode Fuzzy Hash: 9d1d428200f87b1398cb9d8458f2fb074ba41614b7a1658317af7310413044d3
Instruction Fuzzy Hash: E6117B3260424C6EDB21AE359C42BF7379ABB06350F098064BF89B7191C7B09C84E3B5

Function 00DEEB32 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00DEEAB3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00DEEAD2
Part of subcall function 00DEEAB3: GetProcAddress.KERNEL32(00E271C0,CryptUnprotectMemory), ref: 00DEEAE2

GetCurrentProcessId.KERNEL32(?,?,?,00DEEB2C), ref: 00DEEBC4

Strings

CryptProtectMemory failed, xrefs: 00DEEB7B
CryptUnprotectMemory failed, xrefs: 00DEEBBC

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 5a0585feade00233aacd58da6522cb241a4e80a62453e3021251f63e6c497d50
Instruction ID: 18e903fb1645266568c24e9eaff61638a5da6c23c8f601c957c97d49c9123546
Opcode Fuzzy Hash: 5a0585feade00233aacd58da6522cb241a4e80a62453e3021251f63e6c497d50
Instruction Fuzzy Hash: 34110331A096A86FDB25BF22DC02AAE3B54EF04720B08811DFC477B2A1C674AD51C7F5

Function 00E09A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E09A3E
_free.LIBCMT ref: 00E09A64

Strings

pY, xrefs: 00E09ACB

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: _free
String ID: pY
API String ID: 269201875-4257660193
Opcode ID: f06f7e9ae0b4201a0f0a993f9bd1d85b98253bce569f2ceae1e539b9b54c7733
Instruction ID: 07135cd1c8364d2aa95301535fed5ce949ab9f5fb3ec791ccd6675f4c33cd987
Opcode Fuzzy Hash: f06f7e9ae0b4201a0f0a993f9bd1d85b98253bce569f2ceae1e539b9b54c7733
Instruction Fuzzy Hash: ED11D371B402119FEB209F39AC49B5536E4A752724F182726FA61FB1F3E7B4D8C68284

Function 00DE130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00DED9D8: _swprintf.LIBCMT ref: 00DED9FE
Part of subcall function 00DED9D8: _strlen.LIBCMT ref: 00DEDA1F
Part of subcall function 00DED9D8: SetDlgItemTextW.USER32(?,00E1D154,?), ref: 00DEDA7F
Part of subcall function 00DED9D8: GetWindowRect.USER32(?,?), ref: 00DEDAB9
Part of subcall function 00DED9D8: GetClientRect.USER32(?,?), ref: 00DEDAC5

GetDlgItem.USER32(00000000,00003021), ref: 00DE134F
SetWindowTextW.USER32(00000000,00E125B4), ref: 00DE1365

Strings

0, xrefs: 00DE130E

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 50d79af6e3e79b4c1c69c93d63bc4cf14959e89a8d9eb2751f6af618a2a9c9ad
Instruction ID: f20aa38e6bb9b2d2563f2e47991141eead5dec6fe382a8cb41f64c79fac3cecc
Opcode Fuzzy Hash: 50d79af6e3e79b4c1c69c93d63bc4cf14959e89a8d9eb2751f6af618a2a9c9ad
Instruction Fuzzy Hash: CBF0AF382003C8ABDF256F63CC19BEA3B99BB51345F0C8114FD4564AA2CB79C995EA70

Function 00DF07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00DF08CB,?,?,00DF094F,?,?,?,?,?,00DF0939), ref: 00DF07B2
GetLastError.KERNEL32(?,?,00DF094F,?,?,?,?,?,00DF0939), ref: 00DF07BE

Part of subcall function 00DE6E26: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE6E44

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00DF07C7

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: a3af5675ac38d88a908003a847e8c45a092ee68cd09e982cc5252143dd934202
Instruction ID: ffd15582ec295e4467cf24b212b8018e2c08c6d2cdcd8496b941ecd8b697f49b
Opcode Fuzzy Hash: a3af5675ac38d88a908003a847e8c45a092ee68cd09e982cc5252143dd934202
Instruction Fuzzy Hash: F2D05E725081217BD6003B669C0ADEF3E06DB66770F25C719F339791F5CA204E9286F6

Function 00DED98E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00DED26F,?), ref: 00DED993
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00DED26F,?), ref: 00DED9A1

Strings

RTL, xrefs: 00DED99B

Memory Dump Source

Source File: 00000000.00000002.1239545490.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1239529912.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239570928.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239586398.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1239634775.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_zixing.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: d0151f08653d22a423d6d0926b4707c26ac13057649db37503e9e325a9297a19
Instruction ID: 39c8f6a5a73f1b9447af91b9e0e6b8b45ccdf581bfd3b911f052e9abf73a48c8
Opcode Fuzzy Hash: d0151f08653d22a423d6d0926b4707c26ac13057649db37503e9e325a9297a19
Instruction Fuzzy Hash: 7EC012316457516AD7302B366C0DBC329496B54B11F09454CB341E91D0D9E5C494C660

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zixing.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\update\ORDERSEC_STYLETWO.rpt

C:\Users\user\Desktop\update\daysum.rpt

C:\Users\user\Desktop\update\daysum2.rpt

C:\Users\user\Desktop\update\dayxxb.rpt

C:\Users\user\Desktop\update\metalout_style1.rpt

C:\Users\user\Desktop\update\zwei.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Windows Analysis Report
zixing.exe

Function 00DFD42A Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 197
filesleeptimeCOMMON

Function 00DF9D9A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Function 00DEA534 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Function 00DF002D Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Function 00DED281 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Function 00DFC9E2 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Function 00E09ED8 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Function 00DE9950 Relevance: 7.6, APIs: 5, Instructions: 116
filetimeCOMMON

Function 00DFABC4 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Function 00DFA245 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Function 00DFA2B3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Function 00DFD104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Function 00DEA1EB Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Function 00DE97EE Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Function 00E0A374 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE